生成用户唯一的hmac密钥以进行密码散列

For my website's password hashing I wrote the following function:

public function hash($user) {
    $user_key = hash_hmac('sha512', $user['id'].$user['email'], $this->site_key);
    $password = hash_hmac('sha512', $user['password'], $user_key);
}

I generate user unique keys to use for the final password hashing. Because this key is hashed with sha512 it should give enough security based on what I read on wikipedia:

The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output length in bits and on the size and quality of the cryptographic key.

I have not seen this way if hashing passwords before and was wondering if it is good enough?

Extra: I have not used a salt because I think hmac appends the provided key to the data (like a salt), is this right?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dongzine3782 2011-07-16 12:11
关注
OK, first and foremost. Do not write up your own function to do password hashing. I'm not doubting your skills, but to be safe do not do your own hashing system. And an HMAC your key is OK, but I'd still not use it.

Finally I'd suggest that you do this for your users passwords.

<?PHP $password=$user['password']; $username=$user['username']; $salt='usesomesillystringforsalt'; $hashed_password=crypt($password.$username,'$2a$04$usesomesillstringforsalt$'); ?>

This algorithm uses Bcrypt which is based upon Blowfish it is a very robust algorithm and is what Gawker media went to after they were hacked due to the robustness and usefulness for password hashing. crypt ^{PHP Manual}

Next up, remember to change the part that says usesomesillystringforsalt to something else. It needs to be 22 digits of base64 salt A-Z,a-z,0-9,/ and "."

Go to that link to find out more about the algorithm itself. I suggest that you just use this implementation as it is much much stronger than the one that you were suggesting.

If you want to go a step forward, I'd suggest that you use a unique salt for every user. If you want to do that, I can write up an example function which will show you how to do that.

As stated, if you have any more questions feel free to ask.
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

为什么我的hmac密钥关闭了？
2017-12-13 04:33

回答 1 已采纳 As per the docs of the given library, the key format is as below: s{signature} Please check the
在PHP中为Rail PNR API生成HMAC SHA1 php
2015-04-18 17:13

回答 1 已采纳 The values that are to be passed in the API is supposed to be in the alphabetical order. Like in m
如何在PHP中扩展用户加密密码？ php
2016-05-27 22:40

回答 3 已采纳 The problem is in the function: function generate_key_from_password($password) the line: $salt
PHP常用的接口MD5加密根据密钥生成签名方法
2022-07-01 15:19

LordForce的博客 PHP接口根据密钥进行MD5加密生成签名获得小写的签名
如何生成HMAC node.js
2016-09-10 12:29

回答 1 已采纳 You need to use the same encoding in your Go program as you do in your Node.js program (hex): pac
java和php的hmac_sha1结果不同，求高手帮忙 java php
2015-04-12 12:13

回答 1 已采纳自己已经搞定，解决了哇！
HMAC_SHA1在PHP和Lua上有所不同 lua php
2017-06-23 11:39

回答 1 已采纳 According docs string hash_hmac(string $algo, string $data, string $key [, bool $raw_output = fal
java hmac-sha1生成签名_java – 如何使用HMACSHA1和密钥创建签名以连接到Kayako API
2021-03-08 09:39

Ruin-鸣的博客我正在尝试使用apache commons HTTP Client连接到第三方应用程序API.我正在尝试连接的API是...生成随机字符串以创建salt(在PHP中,您将使用mt_and()来执行此操作)>通...
将PHP中的hash_hmac转换为rails等效项 php ruby
2015-12-10 13:57

回答 1 已采纳 You can do like this require 'openssl' require 'json' private_hash = 'e249c439ed7697df2a4b045d97
如何在PHP上使用hash_hmac（）和“SHA256withRSA”？ php
2015-05-11 08:22

回答 2 已采纳 Here is the code that worked in the end: // Get the certificate file and read the key $pubKey = o
NodeJS HMAC哈希创建 node.js php
2017-06-17 08:07

回答 2 已采纳 ok so, i used this tool writephponline to run this php code: $public = 'JkAFq7M47kLN0xVD'; $priva
php hmacsha1计算,PHP HMAC_SHA1 算法生成算法签名
2021-04-22 17:17

青云若水的博客 HMAC_SHA1(Hashed Message Authentication Code, Secure Hash Algorithm)是一种安全的基于加密hash函数和共享密钥的消息认证协议。它可以有效地防止数据在传输过程中被截获和篡改，维护了数据的完整性、可靠性和...
Go Hmac SHA1生成的哈希与Java中的Hmac SHA1不同 java
2015-05-15 06:37

回答 1 已采纳 The Go code you provided gives exactly the same output as the Java code. Try it on the Go Playgro
php hmac,PHP安全：MAC和HMAC
2021-03-24 01:26

weixin_39883208的博客原标题：PHP安全：MAC和HMAC消息认证码(Message Authentication Code，MAC)在发送消息的基础上通过Key生成加密摘要，通常被用于检测消息在传输过程中是否被篡改。MAC消息认证过程如图1所示。图1 MAC消息认证过程在...
【密码学】基于 SM3 算法的 HMAC 快速实现
2020-05-22 23:35

Rg4sun的博客基于 SM3 算法的 HMAC 快速实现 Presented by R.G. 如不想阅读详细实现原理，请直接阅读SM3hmac快速上手(使用手册) 部分，本文所有的代码文件见我的github仓库RG_SM3hmac，欢迎关注～注：本README有少量数学...
PHP HMAC_SHA1 算法生成算法签名
2019-03-27 15:03

weixin_34411563的博客 HMAC_SHA1(Hashed Message Authentication Code, Secure Hash Algorithm)是一种安全的基于加密hash函数和共享密钥的消息认证协议。它可以有效地防止数据在传输过程中被截获和篡改，维护了数据的完整性、可靠性和...
没有解决我的问题, 去提问

悬赏问题

¥100 求三轴之间相互配合画圆以及直线的算法
¥100 c语言，请帮蒟蒻写一个题的范例作参考
¥15 名为“Product”的列已属于此 DataTable
¥15 安卓adb backup备份应用数据失败
¥15 eclipse运行项目时遇到的问题
¥15 关于#c##的问题：最近需要用CAT工具Trados进行一些开发
¥15 南大pa1 小游戏没有界面，并且报了如下错误，尝试过换显卡驱动，但是好像不行
¥15 自己瞎改改，结果现在又运行不了了
¥15 链式存储应该如何解决
¥15 没有证书，nginx怎么反向代理到只能接受https的公网网站