stackoom
  简体   繁体   中英

PHP crypt producing different results

 原文  2013-08-05 18:32:18       php/ crypt

Question

Okay i am sitting here since hours scratching my head at this issue and i cannot figure out what is wrong. I am trying to encrypt a password via a random salt with crypt but when i try to login the has is always wrong.

Let me walk you through the script: 

$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$salt = sprintf("$2y$%02d$", $cost) . $salt;
$hash = crypt($password, $salt);

echo $hash;
echo crypt($password, $hash);

Outputs the following with password as 'asdfgh': 

$2y$10$865uru.sXJheD9TQKLDnZuTZfpAXv83UDuaSFfb.G2qIxBzEb1pOi
$2y$10$865uru.sXJheD9TQKLDnZuTZfpAXv83UDuaSFfb.G2qIxBzEb1pOi

The hash in the database looks like this: 

$2y$10$865uru.sXJheD9TQKLDnZuTZfpAXv83UDuaSFfb.G2qIxBzEb1pOi

For the login script we have the following code for testing purposes: 

echo $data->hash . '<br>';
echo crypt('asdfgh', $data->hash) . '<br>';
echo crypt('asdfgh', '$2y$10$865uru.sXJheD9TQKLDnZuTZfpAXv83UDuaSFfb.G2qIxBzEb1pOi');

And that outputs the following: 

$2y$10$865uru.sXJheD9TQKLDnZuTZfpAXv83UDuaSFfb.G2qIxBzEb1pOi
$2y$10$865uru.sXJheD9TQKLDnZuRRPJQwjWh2PGgtntpcsnRaGzvv5Sfte
$2y$10$865uru.sXJheD9TQKLDnZuRRPJQwjWh2PGgtntpcsnRaGzvv5Sfte

While the database string is still correct, and even by passing the correct string manually to the function the generated hash is different. I am out of solutions ...

If anyone could help me i would very much appreciate it.

PHP Version 5.4.16 on Windows

UPDATE: Here is the updated snippets with the salt: 

$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$salt = sprintf("$2y$%02d$", $cost) . $salt;
$hash = crypt($password, $salt);

$data = array(
    'id' => '',
    'username' => $username,
    'hash' => $hash,
    'email' => $email,
    'salt' => $salt,
);

$this->mdl_registration->_insert($data);
$this->load->view('registration_submit');

For the login script: 

function check_login($password) {
    $username = $this->input->post('username');
    $result = $this->get_where_custom('username', $username);
    foreach($result->result() as $data) {
        echo $data->hash . '<br>';
        echo crypt('asdfgh', $data->salt) . '<br>';
        $test = crypt($password, $data->salt);
        if($test == $data->hash) {
            return TRUE;
        }
        else {
            $this->form_validation->set_message('check_login', 'Invalid Username and / or Password');
            return FALSE;
        }
    }
}

The echos for testing purposes return the following: 

$2y$10$ZgbOXM18lArDu/u/Ftsdr.t7VPnLsqLJdC2Dum8pl/flW8LmnnUoS
$2y$10$ZgbOXM18lArDu/u/Ftsdr.s5N5juHB/zq/5SN/7oFAjn9CZKjI9H6

2 answers

solution1
 0  2013-08-05 18:54:30

Well, my answer doesn't actually solve why this code isn't working. I thought it was due to the $salt not being passed, but apparently crypt() accounts for this so long as the salt is within the provided $hash ...

Anyhow, I can suggest an alternative method to accomplish this. Feel free to ignore this and wait for a solution, or adapt this. Up to you. 

$password = 'asdfgh';
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$hash = hash('sha256', $password . $salt);
for($round = 0; $round < 60000; $round++)
{
    $hash = hash('sha256', $hash . $salt);
}

This creates the salt slightly differently, uses a different hashing algorithm and also iterates through the hash 60,000 times (relatively short for a user 1-2 seconds).

Store this $salt in the database along with the $hash.

Now, for the login script just include this snippet...

(assuming $password is 'asdfgh') 

$newHash = hash('sha256', $password . $salt);
for($round = 0; $round < 60000; $round++)
{
    $newHash = hash('sha256', $newHash . $salt);
}
if($newHash===$data->hash){
  //Match!
}

I tried this with several different data sets and the hashes always matched up, so you could use this.

Or you can wait for a real security expert to come explain why your code didn't work :)

Hope this helped!

solution2
 0  2013-08-20 12:29:24

Your salt has the wrong format.

According to the docs :

CRYPT_BLOWFISH - Blowfish hashing with a salt as follows: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z".

Your salt has a) invalid characters ( = as fill character at the end of the base64) and b) is too long (24 chars instead of 22).

This might be the cause of your problem.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Different versions of PHP different results of crypt () PHP .crypt() results identical for different strings and salts Device differences in PHP code producing different results PHP producing different results in cli and browser Why is crypt() generating different results? PHP pg_unescape_bytea producing different results on different machines PHP crypt function on different OS php bitwise XOR and js bitwise XOR producing different results SHA-1 producing different results in Objective-C and PHP… ideas? PHP crypt function results : how does it work?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM