dongpu1315 2017-08-13 10:15
浏览 276
已采纳

加密和比较哈希值

Checked a lot of tutorials and guides about Encrypting and Hashing on StackOver and I do now understand the difference between both of them. Encryption when we need decryption. Hash when you don't (e.g: passwords).

But my question today is, for generating random unique tokens. A lot of people recommend using base64_encode(rand_bytes(32)); because it generates a secure cryptographical id with random bytes/letters so it takes a long time to be cracked by a brute force ( to be predicted ).

But when you, for example, hash_hmac or crypt that id will it make it weaker? If so it won't matter if you use mt_rand or random_bytes as it will generate other letters/id. So what do you guys recommend?

Also, Is crypt better than hash_hmac for hashing?

The last question, Since blowfish has a really strong hashing algorithm, do I need to store my, for example, PHPSESSID or CSRF token with it or just a normal random_bytes?

Please guys, provide me with detailed information about these questions or documentation. Sorry for my lack of information and inexperience, I am new to PHP coding and thanks!

Edit: I have seen some guides on SO, not covering all my questions, so I need a 2017 detailed information not a 10 years ago post where md5 was the best etc..!

  • 写回答

3条回答 默认 最新

  • dpizd08264 2017-08-13 11:04
    关注

    When you just want tokens that are unpredictable, use random_bytes(32). As long as you keep the tokens secret, there is no reason to alter the result of this function.

    But you ask a lot of specific questions, so I will try to answer them as best I can:

    When you hash or crypt() that id will it make it weaker?

    This depends on the HMAC or crypt routine. When you generate 32 bytes of random data, and then use a function to reduce the size to 16 bytes, the security will be halved. However, if you use a cryptographically secure function that has at least 32 bytes of output, the security is not reduced. Now I say this, because crypt() is not cryptographically secure function. When hashing passwords, use password_hash() instead.

    Is there a difference between using mt_rand and using random_bytes?

    Yes, it will matter. mt_rand() uses a Mersenne Twister random number generator. These are not secure. This means that an attacker could use token values to guess other tokens. In the case of mt_rand(), this is often very easy. If you need the tokens to be secure (authentication tokens, session cookies, CSRF tokens, id's that may not be enumerated, etc.), use random_bytes. Also, if you are not sure, use random_bytes.

    Also, Is crypt better than hash_hmac for hashing?

    No. Crypt is deprecated and you should not use it. Use HMAC when you need message authentication codes (for example for password reset URLs). For password hashing, use password_hash.

    Do I need to store my, for example, PHPSESSID or CSRF token with Blowfish or just a normal random_bytes?

    Just use random_bytes. The random data is already random, it does not need to be randomized again. At least, as long as you keep these tokens secret and revoke them immediately when they have been leaked.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

  • 加密比较哈希值 php
    2017-08-13 10:15
    回答 3 已采纳 When you just want tokens that are unpredictable, use random_bytes(32). As long as you keep the to
  • PHP和C#中的不同MD5哈希值 c# php
    2018-05-29 10:50
    回答 1 已采纳 The hash value ee1ae334e4bdeceb54caab15555f2f40 is the MD5 hash over test-server::7250406f7c435245
  • PHP数据库比较哈希登录与db mysql php
    2017-06-17 19:30
    回答 1 已采纳 Solved it! Added the following code: $hashslingingslasher = password_hash($upass, PASSWORD_D
  • imagehash:PHP PHP的感知图像哈希
    2021-02-25 09:31
    与诸如MD5和SHA1的加密哈希函数相比,感知哈希是一个不同的概念。 使用加密哈希时,哈希值是随机的。 用于生成哈希的数据的行为类似于随机种子,因此相同的数据将生成相同的结果,但是不同的数据将生成不同的结果。...
  • 关于打印出@加哈希值 java 有问必答
    2021-03-18 18:14
    回答 4 已采纳 test类加一个toString的方法,返回String,具体内容看你自己想要的打印结果。如: public String toString(){ return "myEvent="+my
  • 从sql保存并获取哈希值 mysql php
    2016-10-11 23:10
    回答 1 已采纳 I think that's because your $key variable has an MD5 hash already, but when you make the update qu
  • 哈希值会不会用完?既然长度固定
    2015-12-18 11:31
    回答 4 已采纳 理论上会,但是这个值超过了宇宙中原子的个数。即便宇宙中每个原子可以存储一个文件,也不会重复。 但是,如你所知,hash是会重复的,虽然在自然情况下重复概率可以忽略,但是人为制造相同hash,但是数据
  • php md5加密算法源码,MD5加密和哈希算法
    2021-04-28 09:58
    秦哲祺的博客 MD5加密算法为现在应用最广泛的哈希算法之一,该算法广泛应用于互联网网站的用户文件加密,能够将用户密码加密为128位的长整数。数据库并不明文存储用户密码,而是在用户登录时将输入密码字符串进行MD5加密,与...
  • PHP - 无论如何在PHP加密/解密哈希? [关闭] php
    2017-06-08 11:40
    回答 2 已采纳 Hashing algorithms are not encryption algorithms. Hashing algorithms have the following principles
  • Php - 密码哈希 php
    2015-10-25 23:58
    回答 1 已采纳 It's hard to understand what you're asking, but I bet you want to hash the value of $password befo
  • 在Ruby中追加并增加哈希值 php ruby
    2016-01-25 09:16
    回答 2 已采纳 I think PHP's array/hash duality confuses you. A "hash with auto-incrementing keys" would be just
  • 哈希算法和加密算法的本质区别
    2022-02-10 21:51
    我是bug王的博客 它可以是任何东西,从简单的 crc32 到完整的加密哈希函数,例如 MD5 或 SHA1/2/256/512。关键是正在进行单向映射。它总是一个多:1 映射(意味着总会有冲突),因为每个函数产生的输出都比它能够输入的要小(如果你...
  • C#SSO哈希迁移到PHP c# php
    2018-04-03 17:39
    回答 2 已采纳 I don't know php at all, but still can help I think. First, as stated in my comment, Rfc2898Derive
  • PHP PHP的感知图像哈希-PHP开发
    2021-05-27 07:45
    ImageHash感知哈希是多媒体文件的指纹,该指纹是从其内容的各种功能派生而来的。 与依赖于输入中的小变化...与诸如MD5和SHA1的加密哈希函数相比,感知哈希是一个不同的概念。 使用加密散列时,散列值是随机的。 数据
  • php-perl哈希算法实现(times33哈希算法)
    2021-01-21 15:53
    复制代码 代码如下:APR_DECLARE_NONSTD(unsigned int) apr_hashfunc_default(const char *char_key, apr_ssize_t *klen){ unsigned int hash = 0; const unsigned char *key = (const unsigned char *)char_key;...
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥15 #MATLAB仿真#车辆换道路径规划
  • ¥15 java 操作 elasticsearch 8.1 实现 索引的重建
  • ¥15 数据可视化Python
  • ¥15 要给毕业设计添加扫码登录的功能!!有偿
  • ¥15 kafka 分区副本增加会导致消息丢失或者不可用吗?
  • ¥15 微信公众号自制会员卡没有收款渠道啊
  • ¥100 Jenkins自动化部署—悬赏100元
  • ¥15 关于#python#的问题:求帮写python代码
  • ¥20 MATLAB画图图形出现上下震荡的线条
  • ¥15 关于#windows#的问题:怎么用WIN 11系统的电脑 克隆WIN NT3.51-4.0系统的硬盘