Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
PHPASS MD5 implementation over SHA-2
Posted by: Xeoncross
Date: April 25, 2009 09:45PM

As most of you know, the hashing algorithm isn't as important as the length of the string hashed. A plain 10 char MD5 is known as very insecure - but a 4 char Blowfish is even worse. So salting is very important to get that original string over 30chars long and out of the reach of a rainbow table.

With that in mind I am trying to decide on wither to use the http://www.openwall.com/phpass/ method (which uses MD5 or DES when there is no BLOWFISH installed) or to go with the SHA-2 family of hashing algorithms.

This will be for an open-source system so I can't rely on bcrypt being installed (needs PHP 5.3.0+ or a PECL or a patch) which makes me think that SHA-2 (only needs PHP 5.1.2+) would be better for everyone. I could also get away from MD5.

Since phpass has been adapted by wordpress, drupal, and many others I would think that they must have reviewed it. However, SHA-2 comes with higher ranked referrals (like the government).

Another problem is that phpass takes almost a whole second to create a hash which is a rather long time (SHA256 only takes 1.4E-5sec).

So does anyone have any ideas on this?

My blog | PHP Security Video

Options: ReplyQuote
Re: PHPASS MD5 implementation over SHA-2
Posted by: Kyo
Date: April 26, 2009 04:50AM

almost a whole second? That can't be right.

I did some benchmarks and I came up with 0.008 most of the time, and 0.02 sometimes. Both for md5 and blowfish.

Options: ReplyQuote
Re: PHPASS MD5 implementation over SHA-2
Date: April 29, 2009 05:52PM

http://www.nanolink.ca/pub/sha256/ have you checked that out? It wouldn't be hard at all to edit code so it always uses the script's SHA-256 function no matter if its PHP4 or PHP5. This way no PECL required since its pure PHP code.

Options: ReplyQuote
Re: PHPASS MD5 implementation over SHA-2
Posted by: Kyo
Date: May 03, 2009 03:43PM

pure PHP? That can't be efficient

Options: ReplyQuote
Re: PHPASS MD5 implementation over SHA-2
Date: May 03, 2009 10:49PM

I don't have a PHP server at hand at the moment, can anyone benchmark the nanolink.ca script?

Options: ReplyQuote
Re: PHPASS MD5 implementation over SHA-2
Posted by: Kyo
Date: May 04, 2009 11:09AM

I'll do it later today

Options: ReplyQuote
Re: PHPASS MD5 implementation over SHA-2
Posted by: barbarianbob
Date: May 05, 2009 04:59PM

I didn't download the source, but the site takes 2.069454 seconds for a 8136 char string.

hash('sha256',str_repeat('A',8136)) on my localhost takes 0.00029397010803223 seconds.

Same input str, same output str, BIG difference in time.

Options: ReplyQuote


Sorry, only registered users may post in this forum.