sha1, md5, other cryptography and How to

sha1, md5, other cryptography and How to

2 11715

Today we will talk about cryptography. As we know, cryptography – the set of methods to ensure confidentiality and authenticity of information. Cryptography is even science. Encryption can be reversible (when we can get the source text) and irreversible (when we can can`t get the source text). Today we will talk about using an irreversible encryption methods (like md5, sha, haval, ripemd and others) in web development.

Irreversible encryption is most often used to encrypt passwords. All in order not to store passwords as open text. Thus even if your database is hacked – you can be sure that the attacker does not receive a single password. How are we going to check – whether the user enters a password – simply, we will encrypt the entered data too. Of corse, passwords are not the only where encryption is used. We also can encrypt text, files, and after transferring – check for hash sum of sent data. This is just examples of using.


Ok, so how to encrypt your text using PHP? we can use next functions:

  • md5 – calculating md5 hash of string (first param – string for encoding).
  • sha1 – calculating sha1 hash (first param – string).
  • crypt – hashing function, which using standard unix DES-based algorithm or another algorithms available in system (first param – string).
  • hash – calculating hash using different algorithms (first param – name of algorithm, second – string for encoding), you can get list of possible algorithm via hash_algos() function. A example you can use ‘md5’, ‘sha1’, ‘sha256’, ‘crc32’, ‘ripemd128’ and others. Here are list in >30 different algorithms !


Ok, here are method how you can using sha1 for validation of passwords

Step 1. During registration we will store sha1 hash of member`s password:

$sSha1Pass = sha1($_POST['password']); // and after - store $sSha1Pass value as hash_password of this member

Step 2. Validation of members (login processes):

$sUsername = mysql_real_escape_string($_POST['login_password']);
$sSha1Pass = sha1($_POST['login_password']);
// now - we just looking in database (where we have table with our users) for enterred username:
$sSQL = "SELECT * FROM `users` WHERE `username`='{$sUsername}' LIMIT 1";
// next - executing that SQL via your gateway (mySQL wrap class)
// in result - we have aray - $aUser with its params, now we should just validate him
if ($sUsername != '' && $sSha1Pass == $aUser['password']) {
// well, user validated, he entered correct password, we allow him to login into system
}

Instead sha1(string) we always can using next method:

$sSha1String = hash('sha1', $sOurString);

This is possible too of course


Conclusion

I hope that you like por articles and this is useful for your projects. Good luck!


2 COMMENTS

  1. Oh wow this is so totally helpful! I didn’t know that not salting passwords was secure and that POST variables like $_POST[‘password’] can never be wrong because of the magic quotes “feature”. And I finally learned that doing SQL queries yourself is cool. Thank you sooo much.

  2. Hashing passwords with sha1 or md5 once is not secure. Password hashing like this makes it very easy for brute force attacks to succeed. You are also not salting passwords. You should read up on password security and various techniques to securely hash them.

    bcrypt
    http://en.wikipedia.org/wiki/Bcrypt
    http://codahale.com/how-to-safely-store-a-password/

    or

    PBKDF2
    http://en.wikipedia.org/wiki/PBKDF2
    http://www.itnewb.com/v/Encrypting-Passwords-with-PHP-for-Storage-Using-the-RSA-PBKDF2-Standard

Leave a Reply