Hash encryption methods using php
LE 31 October: Thank you Fanis!
Hashing methods using php
Hashing is the basic of them all when it comes to security, in basic scripting md5 is the easiest basic method of hasing. A lot of developers use this for basic protection, including wordpress developers for their passwords. I confirmed this today when a client of mine was having issues with his access in his wordpress blog. Well anyway, in this article I’m going to show you some easy hashing methods using php.
1. md5 hashing using php
I already said that this is basics of hasing, used almost everywhere, a simple code can be used to encrypt a string directly in md5 hash, it can be used in a number of cases, but mostly I’ve seen it used when you want to have a login section fast and easy.
For instance, a really fast method of confirming if you allow someone access to a specific section, is using a similar example as below:
1 2 3 4 5 6 7 |
<?php $str = 'Bob'; if (md5($str) === '2fc1c0beb992cd7096975cfebf9d5c3b') { echo "Bob is now logged in!"; } ?> |
In the above example you noticed we have a string “Bob”, basically if md5 of Bob is equal to our hash value, including type string, “2fc1c0beb992cd7096975cfebf9d5c3b”.
If the condition returns true, then it will print a message that “Bob is now logged in!”. This is also just a simple example of how you use this. Normally the hash is stored in a safe place like databases or specific files that are not viewable by the world.
2. sha1 hashing using php
Another way to generate a unique hash for a specific string is by using the sha1() function already present in most php versions. This can be used in almost the same situations as md5, basically it is just another method of generating the hash string. Below is an example of this adjusted to use the sha1() function.
1 2 3 4 5 6 7 |
<?php $str = 'Bob'; if (sha1($str) === 'da6645f6e22bf5f75974dc7eed5fcd6160d6b51e') { echo "Bob is now logged in!"; } ?> |
Same approach, just make sure you have the hash strings saved in a proper safe place.
3. hash() method using php
This function, hash(), is now available since version 5 of php, you can use almost any hash algorithms using this function directly. Incidentally a benchmark has been made to track which is faster, using directly the md5() function or using hash/md5 function (of course other hash algorithms were used, and similar result was given). But first let’s adjust the same example by using hash() with md5 algorithm.
1 2 3 4 5 6 7 |
<?php $str = 'Bob'; if (hash('md5',$str) === '2fc1c0beb992cd7096975cfebf9d5c3b') { echo "Bob is now logged in!"; } ?> |
It will always give the same result when hashing the string, that’s mostly why these are used for login / private sections of a website or similar. As for which is faster, hash() or md5() you can run the below test:
1 2 3 4 5 6 7 8 9 10 11 |
<?php $time=microtime(1); for ($i=0;$i<100000;$i++) hash('md5', 'string'); echo microtime(1)-$time,': hash with md5<br>'; $time=microtime(1); for ($i=0;$i<100000;$i++) md5('string'); echo microtime(1)-$time,': md5<br>'; ?> |
The result will be similar to:
1 2 |
0.0855069160461: hash with md5 0.079409122467: md5 |
Seems like using md5() function is a bit faster than using the hash() function with md5 algorithm.
5. Crypt encryption using php
This option is really similar to md5(), sha1() or hash() functions for generating the hash string for a password. An example can be found below:
1 2 3 4 5 6 |
<?php $password = "this string will be encrypted"; $password_hash = crypt($password); echo $password_hash; // result will be similar to: $1$zbuxcUoS$Bc.iVXKQ5AXXAEQ9iw6t51 ?> |
This will generate you a DES encryption of the value of variable $password, however I mostly recommend using md5 hash directly if this is only what you need.
4. Mcrypt with blowfish algorithm encryption using php
This option is a bit more advance, it has a similar approach as the hash() function, it can be used with different encryption algorithms like 3des, blowfish, rijndael-256 and others, but compared to a hash encryption, this one can be decrypted. However I’m going to go only through the encryption part since that’s what this article is about.
We have below example I made really quick and adjust it to use blowfish algorithm:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
<?php $rand = rand(); $key = substr(md5($rand),0,24); $data = "This is a string encrypted using mcrypt."; $encryption_method = "blowfish"; $td = mcrypt_module_open($encryption_method, '', 'ecb', ''); $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND); mcrypt_generic_init($td, $key, $iv); $encrypted_data = mcrypt_generic($td, $data); echo $encrypted_data; // print encrypted data here mcrypt_generic_deinit($td); mcrypt_module_close($td); ?> |
I’ll try to explain a bit, to use mcrypt functions you require to have 4 specific variables, and 2 of them need to be saved in order to decode the encrypted data.
The first two lines is for generating that one specific key that is used for encrypting and decrypting your input data. It needs to not have more than 24 characters, so as to make it as unique as possible, I’m running the rand() function to generate a random string number and then using md5 to generate a hash string. However since this will have more than 24 characters, I’m using substr() and limiting the string from pointer 0 to 24. Make sure you save this key for decrypting!
Next we have the input data and the encryption method. The encryption method should also remain the same, you can’t really decrypt something using a different algorithm, right? Then we choose the encryption method, which for this example is blowfish.
Then we use the mcrypt functions to open the encryption module and generating a start vector. Next is to run mcrypt_generic_init() function using the 3 variables which contains the algorithm, the key and the vector for the encryption.
And finally we actually run the encryption on our input data using mcrypt_generic() function. We finish by terminating the encryption and closing the module algorithm handle.
There are a lot more encryption methods like openssl, sha2, bcrypt and more, but will finish with this.
I just remember something right after finishing this writing it, sha1 appears to have been broken, collisions have been discovered on 2**69 hash operations, however this has not been cracked yet so its still safe. More information here.
That’s it for this article, got it pretty long it seems, sorry about that. Until next time!