I want to use Blowfish hashing to hash password.
crypt() does not support it in PHP versions prior to 5.3
My PHP version is 5.2.14. How can I use Blowfish hashing? Can I use PEAR's Crypt_Blowfish instead?
-
2Isn't blowfish for encryption and not hashing?maaudet– maaudet2011-07-28 17:58:20 +00:00Commented Jul 28, 2011 at 17:58
-
1He means bcrypt that is a password derivation scheme using some Blowfish parts.Bruno Rohée– Bruno Rohée2011-08-19 11:47:25 +00:00Commented Aug 19, 2011 at 11:47
-
possible duplicate of How do you use bcrypt for hashing passwords in PHP?derobert– derobert2011-10-31 14:53:23 +00:00Commented Oct 31, 2011 at 14:53
Add a comment
|
2 Answers
PEAR's Crypt_Blowfish is meant to stand in for PHP's MCrypt extension - it's a two-way encryption scheme, not for hashing. While bcrypt is based on Blowfish, it's not the same thing. Confusingly, PHP 5.3.0's CRYPT_BLOWFISH is a hashing algorithm.
Is there a reason why upgrading to PHP 5.3.0+ would not be possible? This isn't something you want to try to implement yourself. If you can, phpass is a great way to do bcrypt-based password hashing securely. If you absolutely can't upgrade, phpass falls back to older hashing schemes (but it's still more secure than plain MD5, etc).
If for some reason you can install Suhosin but not upgrade PHP, that would add CRYPT_BLOWFISH support.
To make sure you don't currently have CRYPT_BLOWFISH installed, try the following:
echo (CRYPT_BLOWFISH === 1) ? 'CRYPT_BLOWFISH is enabled!' : 'CRYPT_BLOWFISH is not available';
4 Comments
eykanal
To clarify... the php
crypt() function, which can be set up to use the CRYPT_BLOWFISH method (as defined on the linked page), is a salted hash function with between 4 and 31 iterations on the hash. This is NOT a 2-way encryption function.
chnet
Is there any tutorial on how to use Suhosin for hashing?
Chris Hepner
@chnet Suhosin is a PHP patch - it just does some stuff that helps secure PHP. One of those things is adding support for CRYPT_BLOWFISH with PHP's
crypt() function. It's not something you use to write applications. If you're on shared hosting, you probably won't be able to get it installed.Chris Hepner
If you're not sure, I added something to the answer above to check if you can use CRYPT_BLOWFISH in your current configuration. And to clarify, if you had Suhosin installed you could use the CRYPT_BLOWFISH hashing same as if you had PHP 5.3.0.
PEAR's Crypt_Blowfish package provides blowfish encryption using the mcrypt extension if it is available, and if not it implements the blowfish algorithm natively in php. It does not fall back to using any other form of encryption.
There is no "hand-written" documentation for the package though, there is auto-generated API documentation derived from annotations in the package itself.
This is how I use it to encrypt:
$bf = Crypt_Blowfish::factory('ecb', null, null, CRYPT_BLOWFISH_PHP);
$iv = 'abc123+=';
$key = BLOWFISH_KEY;
$bf->setKey($key, $iv);
$encrypted = bin2hex($bf->encrypt($password));
And to decrypt:
$bf = Crypt_Blowfish::factory('ecb', null, null, CRYPT_BLOWFISH_PHP);
$iv = 'abc123+=';
$key = BLOWFISH_KEY;
$bf->setKey($key, $iv);
$decrypted = trim($bf->decrypt(hex2bin($password)));
Where BLOWFISH_KEY is a constant which I've defined elsewhere in the code.
In these examples I am explicitly using the PHP implementation.
If I wanted Crypt_Blowfish to decide which engine to use, i.e. to determine if it can use the mcrypt extension if it is available (and otherwise use the php implementation) then I'd change over with CRYPT_BLOWFISH_AUTO. To explicitly use the mcrypt extension, specify CRYPT_BLOWFISH_MCRYPT.
