hackalive Posted June 12, 2012 Share Posted June 12, 2012 Hi guys, I am looking at using scrypt in my PHP to hash passwords however there are not good PHP libraries for this. However there are some good C libraries and apparently it is best to load vis C rather than PHP because: It's not a very good idea to implement cryptography in a high level language such as PHP. Using a high level language opens a whole new world of pain when it comes to side channel attacks. Timing attacks, cache timing attacks and branch predictor attacks are much easier to protect yourself against if you write your crypto algorithms in C or, preferably, Assembly. So how can I take a C library and hash my password through PHP or turn a C library into Assembly then hash via PHP? PS - Was looking at this http://ftp.de.debian.org/debian/pool/main/s/scrypt/scrypt_1.1.6.orig.tar.gz but no idea about it too much, still in research phase. Thanks very much in advance. Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted June 12, 2012 Share Posted June 12, 2012 PHP's built in crypt function is perfect for hashing passwords, with very little danger of this type of attack. I believe this quote was talking about (a) encryption and not hashing, and (b) rolling it yourself instead of using a built-in library like crypt. Quote Link to comment Share on other sites More sharing options...
hackalive Posted June 12, 2012 Author Share Posted June 12, 2012 How about the stronger bcrypt? Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted June 13, 2012 Share Posted June 13, 2012 I don't know of a built-in implementation of bcrypt. Quote Link to comment Share on other sites More sharing options...
.josh Posted June 13, 2012 Share Posted June 13, 2012 could also take a look at hash() it doesn't offer bcrypt but it does offer a lot of other algorithms (you can use hash_algos to see a list of available) Quote Link to comment Share on other sites More sharing options...
.josh Posted June 13, 2012 Share Posted June 13, 2012 I also agree with ManiacDan: that statement is more for like if you were wanting to setup some kind of communication system with someone, you would be adding an extra layer (php) into the mix, thus opening up more possibilities for potential attacks. It's the same working principle that the more hoops you have to jump through, more points you have to go through to get from sender to receiver, the more opportunity to find and exploit a hole. So that statement isn't really applicable for wanting to hash a password to be stored. ... Quote Link to comment Share on other sites More sharing options...
boompa Posted June 13, 2012 Share Posted June 13, 2012 How about the stronger bcrypt? phpass supports bcrypt as its default hashing method. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.