I use a php script that hashes passwords using php's crypt and uses SHA512, however when I try to check if SHA512 is set I get the above error. Of course I know WHY I get this error.. php is missing some dependency. I just don't know what that dependency is.
Can anyone please tell me what I need to install (on a Ubuntu server) to be able to use SHA512 in PHP ?
Thanks!
The php docs say that built-in support for SHA-256 and SHA-512 was added in PHP 5.3.2. If you use any earlier versions of PHP, it relies on implementations of those algorithms provided by your system, which apparently yours does not have.
Make sure you have newest version of PHP5 and install mcrypt - also contains alot of other encryption methods like rinjdael (AES)
Bottom line, you should be using mcrypt, not SHA512 or any md5 style hasher. It's too easy to brute force decrypt them. There is a ton of good reference at http://www.php.net/manual/en/function.mcrypt-generic.php and all over google. Below is an example of a 3DES hashed URL using the reference function urlsafe_b64encode from http://www.php.net/manual/en/function.mcrypt-generic.php#71135
$key = "what can i tell you";
$request = http_build_query($_REQUEST);
$request_enc = urlencode(urlsafe_b64encode(mcrypt_ecb(MCRYPT_3DES, $key, $request, MCRYPT_ENCRYPT)));
$url = "http://localhost/takemerightthere/".$request_enc;
Related
According to manual: password_hash this function can be used for (PHP 5 >= 5.5.0)
After searching for an alternative way I found this simple function from here: http://www.sitepoint.com/password-hashing-in-php/
function generateHash($password) {
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
$salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
return crypt($password, $salt);
}
}
I can manage my code by using function_exists before using, but My question is about above alternative code if its secure or not, or is there any alternative in older versions of PHP?
For PHP versions < 5.3.7, I'd recommend:
http://www.openwall.com/phpass/
For PHP versions >= 5.3.7, use:
https://github.com/ircmaxell/password_compat
Generating your own salts takes a lot of know how, because a good, proper salt requires a lot of entropy. Generating this salt in PHP is troublesome, which is why you usually end up depending on other resources to provide this string for you, such as /dev/urandom or openssl_random_pseudo_bytes. Believe me, this isn't something you want to try yourself without serious research and consideration.
Using the new password_* API is recommended, but it can be problematic if you need to support older versions of PHP, which is where PHPass comes in. Gotta hate those $1 per month hosting plans with PHP 5.2
For versions of PHP > 5.3.7 but prior to 5.5.0, you can find an implementation of password_hash at https://github.com/ircmaxell/password_compat written by the same person that developed the version now implemented in PHP 5.5.0+ and deliberately intended to provide backward compatibility
According to manual: password_hash this function can be used for (PHP 5 >= 5.5.0)
After searching for an alternative way I found this simple function from here: http://www.sitepoint.com/password-hashing-in-php/
function generateHash($password) {
if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
$salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
return crypt($password, $salt);
}
}
I can manage my code by using function_exists before using, but My question is about above alternative code if its secure or not, or is there any alternative in older versions of PHP?
For PHP versions < 5.3.7, I'd recommend:
http://www.openwall.com/phpass/
For PHP versions >= 5.3.7, use:
https://github.com/ircmaxell/password_compat
Generating your own salts takes a lot of know how, because a good, proper salt requires a lot of entropy. Generating this salt in PHP is troublesome, which is why you usually end up depending on other resources to provide this string for you, such as /dev/urandom or openssl_random_pseudo_bytes. Believe me, this isn't something you want to try yourself without serious research and consideration.
Using the new password_* API is recommended, but it can be problematic if you need to support older versions of PHP, which is where PHPass comes in. Gotta hate those $1 per month hosting plans with PHP 5.2
For versions of PHP > 5.3.7 but prior to 5.5.0, you can find an implementation of password_hash at https://github.com/ircmaxell/password_compat written by the same person that developed the version now implemented in PHP 5.5.0+ and deliberately intended to provide backward compatibility
I have a system running on PHP version 5.2.10 Unfortunately the original programmer misunderstood how crypt() was implemented.
$crypt = crypt(trim($cuPassword), CRYPT_BLOWFISH);
// The programmer thought this is how you configure a blowfish cipher
nb CRYPT_BLOWFISH has a value of zero on this machine.
This works in as much as it produces a random looking password hash eg 0$oZ534I2VvSw
Today, I migrated the software to PHP 5.4.9 and discovered that $crypt becomes *0 , ie an error due to the invalid salt.
My problem is that I have a table of login passwords that I can no longer validate. My question: Is there going to be a way I can recreate the original cipher that ran under version 5.2? What hash was implemented when you passed "0" as a salt?
Your description doesn't really add up. In PHP 5.4.9, I tested this:
var_dump(crypt('hello', 0));
Output:
0$ny0efnQXFkE
Now in PHP 5.5, you'll get *0 when calling crypt('hello', 0). But that's okay! Because this is still true in PHP 5.5: this crypt('hello', '0$ny0efnQXFkE') == '0$ny0efnQXFkE'.
All you need to do is change how you generate your hash for new passwords. Validating existing passwords will continue to work.
For good measure, after people successfully log in, check if their hash begins with 0$. If it does, rehash the password (since they entered it, you know what it is) with the updated, proper crypt call.
I tried all valid two digit combinations (CRYPT_STD_DES) and I found that "0q" is equivalent (nearly).
PHP 5.2.10
crypt(trim($cuPassword), CRYPT_BLOWFISH);
Result = 0$txv6CWBxJ9Y
PHP 5.4.9
crypt(trim($cuPassword), '0q');
Result = 0qtxv6CWBxJ9Y
All I need to do is adjust the second character and I can match passwords again.
No, there's no way you can recreate the original cipher. Otherwise even a boy scout would be able to break blowfish.
Your best chance is to generate a random password for your users and hash it once again, then force them to change the password as soon as they login.
"$" is not a valid salt value according to crypt(3) so you need to find a crypt implementation that's equally broken as the one PHP/libc used to have :)
If verifying old passwords is enough, use Matthews answer, else try e.g. openssl which currently still seems to accept "0$" as salt:
$ echo -n "secret" | openssl passwd -crypt -salt '0$' -stdin
0$z.PXBBy6uY.
I'm looking to encrypt a string in VBScript, and decrypt it in PHP. I have full control over the VBScript/ASP Classic environment, but zero control over my PHP environment.
Given this, what sort of encryption could I use that would be adequate enough to secure a string? Apologies for the vagueness of the question, but I do not know where to begin.
Assuming the string is making its way between the servers via http then use https to send the string. That way you don't have to do the encryption/decryption, thats done for you by SSL.
The first thing you should try is simply using a standard encryption/decryption algorithm.
The problem is that these are handled by the php mcrypt extension and you may or may not have then available.
You want mdecrypt_generic. But you can test for it with:
<?php
if(function_exists('mdecrypt_generic')){
echo "Fred says 'you are going to be OK!'";
}else{
echo "Fred says 'it is a shame you cannot control your php environment'";
}
?>
If it exists then plain text that you encrypt with the same algorithm and parameters on VBScript/ASP should decrypt on PHP just fine. Be prepared to try different algorithms if you get funny results, sometime a "parameter" can really mess with you... If you do not have mcrypt then check for openssl. openssl_seal can do the same work for you, but you need to mess with x509 keys in that case. (I like CACert.org for simple x509 outsourcing...)
The other thing to consider... do you really need encryption or merely obfuscation?
HTH,
-FT
I am searching for any crypto library that provides SHA-512 hash. Googling around I found some but SHA-512 is absent.
Please suggest.
If you are using PHP >= 5.3, the function openssl_digest should do the trick :
echo openssl_digest('glop', 'sha512');
gives me this output (splitted in two lines to get better readibility) :
416b1861951170e1f6eb6543b0dd3d4f1994ce8da7cd82061513d3ddd1dd81111
f4ada5caf6421f1d17425c6f29bdb4a95cf84df9eda4164f5a762acbb490a68
(And you can use openssl_get_md_methods to get the list of available digest methods)
And with PHP 5.1 or 5.2, you have the hash function :
echo hash('sha512', 'glop');
gives me the same output (splitted, too) :
416b1861951170e1f6eb6543b0dd3d4f1994ce8da7cd82061513d3ddd1dd81111
f4ada5caf6421f1d17425c6f29bdb4a95cf84df9eda4164f5a762acbb490a68
And, here, to know the list of available digest methods, you can use hash_algos
In PHP 5 >= 5.1.2, PECL hash >= 1.1:
hash('sha512', someStr);
See hash() for more information.
To see all hash algorithms available to you, try:
print_r(hash_algos());