What is difference in CodeIgniter sha1 and normal PHP sha1?
For example:
$codeigniter_hashed = $this -> encrypt -> sha1( "test" );
And
$normal_hashed = sha1("test");
Both will return same values.
Where does CodeIgniter uses encryption_key?
If your PHP installation doesn't have sha1 installed, you can use the CI version. If your PHP installation already has it, you don't need to use the CI function.
From the user guide:
$this->encrypt->sha1();
SHA1 encoding function. Provide a
string and it will return a 160 bit
one way hash. Note: SHA1, just like
MD5 is non-decodable. Example: $hash =
$this->encrypt->sha1('Some string');
Many PHP installations have SHA1
support by default so if all you need
is to encode a hash it's simpler to
use the native function: $hash =
sha1('Some string');
If your server does not support SHA1
you can use the provided function.
More info: http://codeigniter.com/user_guide/libraries/encryption.html
Pretty sure the function you show is a pure SHA encrypt - you only use a specific encryption_key if you want to key/encode the data so only you (the holder of the encryption key), will be able to decrypt it.
$encrypted_with_encryption_key = $this->encrypt->encode($var);
$encrypted_with_sha_no_enc_key = $this->encrypt->sha1($var);
the encryption key is saved at config/config.php
as
$config['encryption_key'] = 'some key';
Related
I want to encrypt some data uisng SHA256 hashing algorithm
<?php
$encryption_key = "aldskfje49345rgaefa";
echo hash('sha256', "hello world");
?>
Try Using hash_hmac() Like this hash_hmac('sha256',);
Read the Manual Here
Just a suggestion...
When you do this
echo hash('sha256', "hello world");
You are not encrypting your data but you are hashing them.
The difference between both ?
Hashing is one way. You generate an unique and irreversible hash.
Encrypting is two way. You can encrypt your data with a key and decrypt with the same key.
So in your situation, you should avoid using SHA256 algorithm. Instead, I recommand you to use Crypt facade provided by Laravel. The key used for encrypting your data is your APP_KEY environnement variable (which is generated when you install your project).
If you have not this, you can simply generate it by execute this command :
php artisan key:generate
So, you will need to share the key with your friend, and use the same algorithm. I let you read the documentation about Crypt Facade.
In PHP, I have a public key (already as an OpenSSL resource). I'd like to calculate that public keys fingerprint (SHA1 or other hash).
How do I do this?
PHP version is 7.2 or older.
EDIT: This is not a duplicate of the other question, because that question is about doing this for an SSH key with SSH (and related) commands. I want to do the same thing using PHP and the PHP-extension openssl.
I've found the solution myself. The basic idea:
Decode the base64 encoded part of the key in PEM format (after removing spaces from it)
Hash the resulting binary data.
In code (PHP):
function getPublicKeyFingerprint(string $pemEncodedKey, string $hashAlgorithm = 'sha1')
{
$keyWithoutPemWrapper = \preg_replace(
'/^-----BEGIN (?:[A-Z]+ )?PUBLIC KEY-----([A-Za-z0-9\\/\\+\\s=]+)-----END (?:[A-Z]+ )?PUBLIC KEY-----$/ms',
'\\1',
$pemEncodedKey
);
$keyDataWithoutSpaces = \preg_replace('/\\s+/', '', $keyWithoutPemWrapper);
$binaryKey = \base64_decode($keyDataWithoutSpaces);
return \hash($hashAlgorithm, $binaryKey);
}
if you need a hash php has multiple hashing functions available:
sha1() - https://php.net/manual/en/function.sha1.php
md5() - https://www.php.net/manual/en/function.md5.php
or use hash() if you need a more specific algorithm - see the docs
I would like to ask you whether it is safe to use this class to store users' passwords in database.
https://www.codeigniter.com/user_guide/libraries/encryption.html
I generated some random string (32 chars) as encryption key.
For encryption I would use $this->encrypt->encode($pwd)
The only thing I would like to know whether it is safe or I should use md5 or sha1 or something different.
THanks
It's pretty safe because decryption will need access to your salt key, in the config file. But I recommend you only use this method if you REALLY need decryption. For passwords usually is not needed.
Better than that, use SHA1. Double encrypt your passwords with a random seed.
$seed = random_string();
$pwd = sha1($pwd . $this->config->item('encryption_key'));
$pwd = sha1($pwd . $seed);
Then store both (pwd and seed) in your database. When checking if password match, encrypt with SQL.
So another stack overflow user recommended the following code to create a hash:
$password = 'my password';
$salt = strtr(base64_encode(openssl_random_pseudo_bytes(18)), '+', '.');
$pwhash = crypt($password, sprintf('$2y$%02d$%s', 13, $salt));
Is there another function for openssl_random_pseudo_bytes if I don't have openssl installed? Does it make sense to install this, and if so, how would I do this?
Try using mcrypt_create_iv(18). Although it is used for generating initialization vectors for encryption it uses /dev/random by default for generating a random vector.
EDIT: http://php.net/manual/en/function.mcrypt-create-iv.php
PHP 5.5 will have it's own functions password_hash() and password_verify() to create BCrypt hashes (that is what your function does). There is a compatibility pack for PHP 5.3/5.4 available, downloadable in form of a single php file password.php.
It is a well done implementation, that uses mcrypt_create_iv, but has a fallback to openssl_random_pseudo_bytes.
mcrypt_create_iv($raw_length, MCRYPT_DEV_URANDOM);
Note that the mcrypt_create_iv function reads from MCRYPT_DEV_URANDOM, that's enough for creating password salts (salt should be unique and unpredictable). In contrast to the default value MCRYPT_DEV_RANDOM it does not block the server, should there be not enough entrophy available.
I'm used to having hashing algorythms return always the same hash.
Why does phpass library return always different hashes?
Does it have something to do with the IV? (I never fully understood that concept)
<?php
require __DIR__ . '/PasswordHash.php';
$hasher = new PasswordHash(11,false);
$password = 'bla123';
echo $hash = $hasher->hashPassword($password); // different for each request
according to this section "What if the user already exists?" it's normal behaviour of this library
It uses crypt(), which already generates different hashes for the same string. It hashes each password with a different key, and it stores the key inside the hash (it's public).