I need to make a hash with JS and PHP but I need them to both work out to be the same hash.
I am just wondering what the best idea would be to go about it. it needs to be secure, but its not hashing sensitive data so doesn't need a huge amount of security around it.
could anyone give me some examples
Thank you.
You could use MD5: the php and the JS solution should work out to be the same given the same string input. http://pajhome.org.uk/crypt/md5/ has a list of hash implementations in javascript, and PHP implementations of md5 are documented here, and both have examples at hand.
You'll need to be careful that you use the exact same input to both functions, but otherwise it shouldn't be too painful.
Well don't forget that javascript is inherently insecure because it is client side, but if you're hashing for communication with say ajax, or you don't want to spend the money on a ssl certificate, then this could be the way to go.
The most common hashing algorithms are md5 and sha256. Now, because these are algorithms they don't need to be coded into the language (as they are in php), but can written with the language. Some very smart people have already done the hard work for you, and now you just need to get their source.
MD5: http://www.webtoolkit.info/javascript-md5.html
SHA256: http://www.bichlmeier.info/sha256.html
A more modern approach
In PHP, use:
$hash = hash('sha256', "here_is_my_input_string");
Then in JavaScript you can use the Web Crypto API:
function hashAsync(algo, str) {
return crypto.subtle.digest(algo, new TextEncoder("utf-8").encode(str)).then(buf => {
return Array.prototype.map.call(new Uint8Array(buf), x=>(('00'+x.toString(16)).slice(-2))).join('');
});
}
hashAsync("SHA-256", "here_is_my_input_string").then(outputHash => console.log(outputHash));
// prints: 4bb047046382f9c2aeb32ae6d2e43439f05d11bd74658f1d160755ff48114364 which also matches 3rd party site: https://emn178.github.io/online-tools/sha256.html
Thanks to https://stackoverflow.com/a/55926440/470749
Related
I am creating a custom payment processing component for Joomla. This component has an API that allows users to process payment from other sources such as Woocomerce, Wix etc.
I will like to know if it is safe to generate the "Client Key" and the "Client Secret" with my own written PHP script.
//Client Key
$key = md5(microtime(true).mt_Rand());
//Client Secret
$secret = bin2hex(random_bytes(32));
If not, I will be glad if someone can point me to a more reliable script.
Thank you
Generating a key using PHP is not inherently unsafe, as long as you take some precautions. While your question may attract a lot of opinion-based suggestions which may all be correct, I'd suggest some pointers
md5 should be avoided whenever possible. Nowadays, collision attacks for md5 are simple enough to be considered trivial even if you are using a random salt upong hash generation. You should at least use sha1 (which is also somewhat easy to collide, albeit no as easy as md5) or sha256.
There's a lot of alternatives in case you want to stay away from sha1/sha256 too, although sha256 is, by 2018 standards, secure enough as a hashing algorithm. I would, however, use something other than microtime as the hash input parameter. Even though you're salting it, it's quite predictable. Just to err on the safe side of predictability, I'd advise concatenating something extra (i.e., microtime.mt_rand.something_else_which_is_also_random)
As for the secret, I'd suggest something more robust. There's no such thing as true randomness in PHP from a cryptological standpoint, so random_bytes may be more predictable and exploitable than it would seem at first glance. That, combined with the fact that bin2hex is just a conversion and not a one-way function, makes the whole secret a weak link. I'd use a longer string (32 seems weak) and combine it with something else (perhaps a bitwise XOR with a random string of equal length)
I'm new to the whole encryption/decryption playground. However, I'm trying to find a way to encrypt a string to send it over http. It doesn't have to be real secure, just something to discourage your common script-kiddy. It's not very important or sensitive data.
That being said, what would be the easiest way to implement an encryption/decryption algorithm that will easily work in Lua and PHP? PHP is so popular, I'm sure I could find a small class for just about any algorithm that isn't already in the mcrypt library... Therefore, I suppose this question is actually more-so targeted towards the easiest thing to implement in Lua.
Any suggestions? Examples?
Thanks
If you can send binary data, try this:
function change(s,a)
local t=""
for i=1,#s do
t=t..string.char((a*s:byte(i))%256)
end
return t
end
function encrypt(s)
return change(s,3)
end
function decrypt(s)
return change(s,171)
end
(Caveats: Not cryptographically secure. If the string you want to send is very long, change may be slow.)
I'd like to know is there a string hashing function that would produce identical results both in JavaScript and PHP, just to avoid text transmissions in cases when some textual data coming from the client side needs to be verified on the server side for being the same as expected?
Yes, See this md5 hashing function for JS. Here is sha1.
You'd find more in http://PHPjs.org
There are a variety of string hashing algorithms you can select from. Google will give you lots of choices. One popular algorithm is MD5 which I'm sure you can find implementations for in both javascript and PHP. Here's one reference on MD5 with javascript code and here's a second reference for javascript.
MD5 has the characteristic you are seeking that the same string always produces the same hash value and it can be implemented in any language.
I don't know PHP myself, but it appears that PHP might already have a function called md5() built in. See here for a reference.
If you use MD5 hashing, you will get the same result in both javascript and PHP
PHP MD5 Hash
JQuery MD5 plugin
or Without JQuery MD5 function
I am migrating my PHP code to Google App Engine - Java.
Since I couldn't find an equivalent function of crypt in Java,
I can do without it if I find an equivalent function in actionscript.
Edit 1: Here is my php code for encrypting passwords :
$password = "test123";
$pwd = crypt($password,$password);
echo $pwd;
Output is (On Windows as well as a linux based server on HostMonser):
temjCCsjBECmU
as3crypto might be of help. It provides DES, and together with Base64, you should be able to recreate PHP's crypt function. OTOH, unless you really need the exact same behaviour, you might just as well take anything else the library offers.
greetz
back2dos
Don't think you'll find an exact analog. crypt() as exists in PHP is an artifact of its Unix heritage, and is usually just a wrapper around the base C library. It won't even behave identically between operating systems.
What you should do is define your password hashing practice clearly (e.g. SHA256 with 8 bytes of salt or something), and run it through a library providing the appropriate algorithm.
Google for com.adobe.crypto (pretty sure it's part of the as3corelib project), it has several cryptographic hash functions.
You can accomplish this same thing in Java as well (and probably better and faster), though I don't know any particular libraries off the top of my head, not having dealt much with Java.
Incidentally, you should probably read through these articles before going much further:
http://en.wikipedia.org/wiki/Cryptographic_hash_function
http://en.wikipedia.org/wiki/Crypt_(Unix)
http://en.wikipedia.org/wiki/Salt_(cryptography)
When passing data to another PHP script using Get or Post, should I encrypt it with a MD5 with salt? or is there a better way to do it?
What kind of data? MD5 isn't an encryption function, it's a hashing function--once you MD5 it there's no "unencrypt," you can't get the original data back.
If you're transmitting critical data (e.g. credit card, bank account, or social security numbers) you should use a secure SSL connection (i.e. HTTPS).
It depends on what you are trying to accomplish.
Generally, if you only want to verify that the data is coming from your app, pass the data along with a hash that verifies the data hasn't been tampered with.
If you are looking to literally encrypt data in the request, you should look into encryption and not hashing.
$a = 2;
$b = 3;
$hash = sha1($salt.$a.$b)
$link = "http://www.domain.tld/?index.php?a=$a&b=$b&hash=$hash";
Then:
$a = $_GET['a'];
$b = $_GET['b'];
$hash = sha1($salt.$a.$b);
if ($_GET['hash'] == $hash) {
//data ok
} else {
// data has been tampered with
}
If you are sending sensible data (such as password, username or even email) you should send this data encrypted in some "strong" way. It can be sent in plain but over HTTPS for example.
If HTTPS is not an option you can always encrypt data with some free/open solutions like GnuPG.
By the way, MD5 is "one way" (but it can be cracked) so you can't un-MD5 easily.
I get the impression that the underlying motivation for this question is the misconception that PHP is less safe than other web-development languages. Other platforms like ASP/.NET may have pre-built methods for keeping things top secret, but those methods only work if they are used. The same goes for PHP. Taking your question as a concern for PHP's security (which is an assumption, and while I could be wrong for you, it is a popular assumption), I would respond: the best way to secure data transfers with PHP is to use the same practices and techniques used for ALL other platforms, such as SSL, strong passwords, confirming IP addresses, not leaving the keys under the mat (ie role-based cookies), and everything else suggested for this question.
Having said that, you obviously want to be secure and want to use PHP, so I'm not jumping down your throat. But I would highly recommend studying up on some basic web-security techniques so that you will know not only how to encrypt your data, but the tons of other things to watch out for as well.
If you do not want to use a HTTPS connection and are not passing sensitive data, I would recommend encrypting the data and possibly using a message authentication code in the process.
You may want to look at the Mcrypt manual.
While not specifically related to GET/POST data, I found an article entitled PHP encryption for the common man that discusses how to secure data in your PHP application.