SHA-512/1024

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply

Would you like to get your hands on SHA-512/1024 before I release the framework?

Poll ended at Thu Apr 13, 2006 4:32 am

Yes! I can't wait!
10
67%
Nope. Release it with the framework.
4
27%
What's this SHA business?
1
7%
 
Total votes: 15

User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

SHA-512/1024

Post by feyd »

I'll be starting work on building new, pure php versions of SHA-512 and likely SHA-1024 for an upcoming project (i.e. framework). Although I don't have them done yet, nor have I really started on them, I do have plans to build them soon. What timeframe that actually means is beyond me, but I hope to have them either this month or next.

I'm wondering how many of you would like to get at these classes prior to the release of said framework?

I will also be re-engineering my SHA-256 class to both accommodate the new class structure, but also to simplify its use and promote interchanability between using 256, 512, 1024 or some future hashing construct including non-SHA based hashing routines. The first release(s) will be built against PHP 5.1+ (Strict), but I will make a backport to PHP 4.x (exact compatibility limit indeterminent as of now).

Any questions, feel free to ask. As always, I (we) will try to answer them as best we can.
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

You need to add a "Nope, never going to need it." selection. :)
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: SHA-512/1024

Post by Roja »

feyd wrote:I'm wondering how many of you would like to get at these classes prior to the release of said framework?
I'm a patient one. As long as the existing sha-256 class remains available, any future improvements are just gravy.

As to the backport/compat issue, I can't run it if its php5-only, so I'm definitely all for the backport. :)
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

:) Sweet!

As for me... I'm all PHP5 now and no PHP4 so it makes little difference to me to be backward compatible. Most people are still using 4 though afaik, haven't checked that stats recently.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

I'm perfectly fine with only 256, but I would gladly update if you did release it, I see the added security as a bonus (256 is already sufficient)
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

I don't see a problem with making 512/1024 PHP5+ only. If need be, they can use SHA-256, which is perfectly fine.

If they are that worried about security, and NEED to use something stronger, than they can also spend the hour or so upgrading PHP.
User avatar
phpScott
DevNet Resident
Posts: 1206
Joined: Wed Oct 09, 2002 6:51 pm
Location: Keele, U.K.

Post by phpScott »

sha-256 is still secure enough for my needs but I could barely wait to see what you come up with next.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

AKA Panama Jack wrote:You need to add a "Nope, never going to need it." selection. :)
It's there, it's called "The Back Button" :)
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

You can't rely on the absence of a vote as a vote for "no", that would produce inaccurate results
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

jshpro2 wrote:You can't rely on the absence of a vote as a vote for "no", that would produce inaccurate results
In this case, people who have no need for it have no impact on the question. Whether Feyd delays the release or not, someone who doesn't need it at all won't care either way.

Hence, the back button *is* the correct answer for those few individuals, and it doesn't produce inaccurate results - because Feyd wasn't asking how many people need it. He was asking when the people that DO need it need it by.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

that's why I chose the words I did. :) If people don't care about a very high level security hash then this doesn't concern them. It's mildly surprising they would read the thread at all considering the title. :lol:
pennythetuff
Forum Newbie
Posts: 22
Joined: Sun Feb 19, 2006 6:05 pm
Location: Kokomo, Indiana

Post by pennythetuff »

I'm an avid user of the 256 script. It'd be great to see 256/512/1024 all in the same script. I work with a wide range of PHP environments since I freelance so a backport would be truly amazing.
Post Reply