How to use SHA-2 (One-Way Hash Function) to hash passwords in readable format?

Posted by Jiltin     17 June, 2009    583 views   

hash_function_picture.pngWhat is One-Way Hash Function?

A one-way hash function maps an arbitrary-length input message M to a fixed-length output hash H(M) such that the following properties hold:
* One-way: Given a hash H(M), it is difficult to find the message M.
* Second preimage resistant: Given a message M1, it is difficult to find another message M2 such that H(M1) = H(M2).
* Collision resistant: It is difficult to find two messages M1 and M2 such that H(M1) = H(M2).

Examples of one-way hash functions:

Hash Algorithm Output Hash Length (bits)
Message Digest (MD4) 128 — insecure
MD5 128 –
Secure Hash Algorithm 1 (SHA-1) 160 — insecure, broken

SHA-256 256
SHA-384 384
SHA-512 512

I would like to know how to use SHA-256 to hash my passwords. It mhash the only function that can do it? mhash(MHASH_SHA256,$string); When I use mhash(), I get a string with weird caracters like “?[#?8??10?7″?0*”?;???f?U??” instead of something like “5b5cdff61cdb68ed059e39b3f9c82588″ Concerning the output of mhash(MHASH_SHA256,$string) is it normal to get a string with some weird characters? In this case it is probably normal. The output you get is in binary, so you need to convert it into a more human readable form. You could use bin2hex() with the output of mhash(). So is there also a php function to convert from binary to an alphanumeric string? bin2hex() and base64_encode() would be another option, but you are probably more familiar with hex strings.

bin2hex() converts a string of ASCII characters to their corresponding hexadecimal values. Note that any value passed to the function is converted to an ASCII string (if possible). The string can be converted back using pack().

base64_encode() encodes data using the base64 algorithm and returns the encoded data.Base64 encoding is used to encode data before it is transferred across legacy email systems that only support 7-bit ASCII. For more information on base64, refer to RFC 2045.

echo bin2hex(mhash(MHASH_SHA256, $string));

echo base64_encode(mhash(MHASH_SHA256, $string));

echo base64_encode(bin2hex(mhash(MHASH_SHA256, $string)));

echo bin2hex(base64_encode(mhash(MHASH_SHA256, $string)));

<?php
$string = "I’m Jiltin and I’m ok…\n";

// Convert a string to its hex representation
$hex_string = bin2hex($string);
echo $hex_string, "\n";

// Convert the string back to binary
echo pack(‘H*’, $hex_string);

echo "\n";

echo "Here is a character-by-character breakdown of how the hex values
correspond with character values:\n\n";

// Show more clearly how bin2hex() converts strings
// Loop through the converted string two characters at a time
for ($ndx = 0; $ndx < strlen($hex_string); $ndx += 2) {

    // Grab the two hex vales that represent a single character
    $hex_chunk = $hex_string[$ndx].$hex_string[$ndx+1];

    // Show each chunk of the string, along with the character it represents
    printf("Hex: %s Char: %s\n", $hex_chunk, pack(‘H2′, $hex_chunk));
}
?>

second example

<?php
// Show how bin2hex() handles non-strings
echo "bin2hex(’1′) returns: " . bin2hex(‘1′) . "\n";

// It converts non-character data to an ASCII string
echo "bin2hex(1) returns: " . bin2hex(1) . "\n";

// Can you tell the difference?
// To make bin2hex() show the hex representation of 1, use an octal escape sequence
echo ‘bin2hex("\1") returns: ‘ . bin2hex("\1") . "\n";

// Try converting a character outside the range of the ASCII character table
echo ‘bin2hex("\400") returns: ‘ . bin2hex("\400") . "\n";
?>

can you confirm the string that is returned with bin2hex is a unique hash string of the input?

No, you have no guarantee that there will be no hash collisions. However, such collisions are rather unlikely so you can ignore them. If you want to be safe, record them in the database with the UNIQUE constraint.

Reference:http://www.cs.rit.edu/~ark/lectures/onewayhash/onewayhash.shtml

Following Google Searches Lead To This Post:
using sha-2 with php
encrypt password sha unix howto

Post to Twitter  Post to Delicious  Post to Digg    Post to StumbleUpon

Categories : Web & Scripts Tags : , ,

Comments

No comments yet.


Leave a comment

(required)

(required)