Page 1 of 2
Hashs.
Posted: Tue Jul 18, 2006 9:39 am
by tecktalkcm0391
Are md4 md5 sha1 sha256 sha384 sha512 ripemd128 ripemd160 whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4 tiger192,4 snefru gost adler32 crc32 crc32b haval128,3 haval160,3 haval192,3 haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4 haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5 all hashes? If so how would I call them, and which one would be the more recent or "best" one to use?
Posted: Tue Jul 18, 2006 9:43 am
by Ward
Yes, theyre all hashing methods. There isn't necessarily a 'best' one to use, it just depends what you want to do with it. For example, for storing passwords in a database, it's common to store the MD5 hash. This is more secure than simply storing the plain-text password.
Hashing is one-way, which means that it can't (easily) be decrypted. When a user is logging in, you can't simply match the password he typed to the password in the DB. You check to see if the MD5 hash of what he typed matches the MD5 hash in the DB.
MD5 will always return a 32-character hash, no matter how long the input string is.
creating an md5 hash is easy:
Code: Select all
$myString = "Hello World";
$myHash = md5($myString);
print $myHash;
Posted: Tue Jul 18, 2006 9:52 am
by tecktalkcm0391
Ok, well how could I call the other ones just to playaround with them.
Re: Hashs.
Posted: Tue Jul 18, 2006 10:17 am
by Roja
tecktalkcm0391 wrote:Are ... all hashes?
Yes.
tecktalkcm0391 wrote:If so how would I call them
Install the mhash extension, and then look at the documentation for use:
http://us2.php.net/manual/en/ref.mhash.php
tecktalkcm0391 wrote:and which one would be the more recent or "best" one to use?
More recent is almost always the opposite of best in the crypto world. Cryptology is based on math primarily, and in math, a 'proof' is only solid when it has been tested extensively for years. There are plenty of little "gotcha's" that can hide for a number of years without someone finding it.
As an example, SHA-0 was used for a period of time before the NSA discovered a substantial weakness in it, and advised against its use. (They also helpfully pointed the community towards SHA-1).
There is no answer to "Which is the best". It depends on your needs, your requirements, the type of data, and more. Research each, until you find one that suits your needs.
However, there is an answer to which you SHOULDN'T use: According to Bruce Schneier (posting to sci.crypt, 12 Nov 1998), "GOST has a 256-bit key, but its key schedule is so weak that
I would not use it as a hash function under any circumstances."
Posted: Tue Jul 18, 2006 10:29 am
by Luke
Posted: Tue Jul 18, 2006 11:01 am
by Todd_Z
I'd stay away from md5:
Reverse Lookups
Posted: Tue Jul 18, 2006 11:04 am
by RobertGonzalez
Use Feyd's SHA256. Regardless of what you use though, use something when it comes to passwords. MD5 and SHA1 are not as 'secure' as they once were, but they are still better than plain text. Salts are another good mechanism to use in conjunction with hashing.
Posted: Tue Jul 18, 2006 11:09 am
by Burrito
this did nothing for the few md5's I tried:
here's one:
4fa065ba97e6bba5a4b5d492fd61ad83 = somepas
Posted: Tue Jul 18, 2006 11:20 am
by Jenk
Burrito wrote:
this did nothing for the few md5's I tried:
here's one:
4fa065ba97e6bba5a4b5d492fd61ad83 = somepas
But they will from now on :p
Posted: Tue Jul 18, 2006 12:03 pm
by Luke
Reverse lookups won't work if you use a salt.
Posted: Tue Jul 18, 2006 12:06 pm
by Roja
The Ninja Space Goat wrote:Reverse lookups won't work if you use a salt.
Being a nitpicker, you can make a reverse lookup table for $secret + $salt, so they COULD work if you use a salt.
Its just that storage, processing, and lookups in tables that large are computationally infeasible, so no one does it.
Yet.
Posted: Tue Jul 18, 2006 12:09 pm
by Luke
I have been using sha1 + salt for everything I do.
Posted: Tue Jul 18, 2006 2:19 pm
by Ward
Theres tons of tricks you could do to make yuor hash harder to reverse lookup. For example, salting, but what about double-hashing? for example:
Posted: Tue Jul 18, 2006 2:24 pm
by Weirdan
Double hashing reduces enthropy.
Posted: Tue Jul 18, 2006 2:54 pm
by Luke
Ward wrote:Theres tons of tricks you could do to make yuor hash harder to reverse lookup
Oooh oooh I have one!! suggest your users use hard-to-guess passwords!
DUH~!
