How do I use the sha512 function for PHP?
Can I replace all my md5 funtions with the sha512 function?
Do I have to download something if so what?
Can any one provide examples? Thanks!
views:
98answers:
3
+5
A:
The hash() function, provided with PHP >= 5.1, should be able to generate sha512 hashes -- you can verify this calling the hash_algos() function, that lists the supported hashing algorithms.
For example, you could use :
$sha512 = hash('sha512', "Hello, World!");
var_dump($sha512);
And you'd get :
string '374d794a95cdcfd8b35993185fef9ba368f160d8daf432d08ba9f1ed1e5abe6cc69291e0fa2fe0006a52570ef18c19def4e617c33ce52ef0a6e5fbe318cb0387' (length=128)
And, on my system, the following portion of code :
$supported = hash_algos();
var_dump($supported);
Indicates that 42 hashing algorithms are supported :
array
0 => string 'md2' (length=3)
...
6 => string 'sha384' (length=6)
7 => string 'sha512' (length=6)
8 => string 'ripemd128' (length=9)
9 => string 'ripemd160' (length=9)
...
40 => string 'haval224,5' (length=10)
41 => string 'haval256,5' (length=10)
Also, with PHP >= 5.3, you should be able to use the openssl_digest() function :
$sha512 = openssl_digest("Hello, World!", 'sha512');
var_dump($sha512);
(Yep, the parameters are not in the same order as with hash() -- the magic of PHP, here...)
And, to get the list of supported algorithms, you could use openssl_get_md_methods().
On my system, this one gives me 22 supported algorithms.
Pascal MARTIN
2010-04-02 18:16:43
If your software needs to run on multiple machines, make sure it will be available on all of your machines.
TheJacobTaylor
2010-04-02 18:18:06
Can you provide a simple password login example, if its not asking to much :)
PeAk
2010-04-02 18:25:51
That's a bit more complicated that this ^^ But the basic idea is : get the password the user posted ;; hash it ;; compare that hash to the hashed-password that's stored in the database for the login the user provided ;; if they match, it's OK, and you can set something in `$_SESSION` to indicate the user is logged-in.
Pascal MARTIN
2010-04-02 18:31:00
+1
A:
Just out of curiosity, why do you want to replace the MD5 function?
It is relatively efficient. If you add a salt, it is really annoying to reverse engineer. Someone would have to perform a brute force encoding of all passwords looking for a match. Without a salt, common short strings lower case all letter strings have been cracked and stored in a database.
I would just add a salt and call it good.
Jacob
TheJacobTaylor
2010-04-02 18:17:36
MD5 is cryptographically broken: http://www.google.com/search?q=md5+cryptographically+broken
Jacco
2010-04-02 19:37:30
I view MD5 as a quick and efficient encoding algorithm, not as an encryption algorithm. Adding a sufficient salt will make it more painful to reverse engineer the passwords. I would also use a salt that is not in the database. You are correct though, with enough time and willpower, you can definitely come up with a password that will match a presented MD5. If I were changing to a better algorithm, I would go for something much higher, it will save having to upgrade again for a long time.
TheJacobTaylor
2010-04-02 21:35:51
I hope your sufficient salt is *random* and *different for every hash*. Otherwise, you are largely defeating their purpose: http://stackoverflow.com/questions/1645161/salt-generation-and-open-source-software/1645190#1645190
Jacco
2010-04-13 09:12:54
And yes, MD5 is quick. But that is exactly what you do NOT want for hashing passwords.
Jacco
2010-04-13 09:15:01