hackalive Posted June 12, 2012 Share Posted June 12, 2012 Hi guys, I am looking at using scrypt in my PHP to hash passwords however there are not good PHP libraries for this. However there are some good C libraries and apparently it is best to load vis C rather than PHP because: Quote It's not a very good idea to implement cryptography in a high level language such as PHP. Using a high level language opens a whole new world of pain when it comes to side channel attacks. Timing attacks, cache timing attacks and branch predictor attacks are much easier to protect yourself against if you write your crypto algorithms in C or, preferably, Assembly. So how can I take a C library and hash my password through PHP or turn a C library into Assembly then hash via PHP? PS - Was looking at this http://ftp.de.debian.org/debian/pool/main/s/scrypt/scrypt_1.1.6.orig.tar.gz but no idea about it too much, still in research phase. Thanks very much in advance. Link to comment https://forums.phpfreaks.com/topic/264045-c-in-php/ Share on other sites More sharing options...
ManiacDan Posted June 12, 2012 Share Posted June 12, 2012 PHP's built in crypt function is perfect for hashing passwords, with very little danger of this type of attack. I believe this quote was talking about (a) encryption and not hashing, and (b) rolling it yourself instead of using a built-in library like crypt. Link to comment https://forums.phpfreaks.com/topic/264045-c-in-php/#findComment-1353153 Share on other sites More sharing options...
hackalive Posted June 12, 2012 Author Share Posted June 12, 2012 How about the stronger bcrypt? Link to comment https://forums.phpfreaks.com/topic/264045-c-in-php/#findComment-1353336 Share on other sites More sharing options...
ManiacDan Posted June 13, 2012 Share Posted June 13, 2012 I don't know of a built-in implementation of bcrypt. Link to comment https://forums.phpfreaks.com/topic/264045-c-in-php/#findComment-1353347 Share on other sites More sharing options...
.josh Posted June 13, 2012 Share Posted June 13, 2012 could also take a look at hash() it doesn't offer bcrypt but it does offer a lot of other algorithms (you can use hash_algos to see a list of available) Link to comment https://forums.phpfreaks.com/topic/264045-c-in-php/#findComment-1353366 Share on other sites More sharing options...
.josh Posted June 13, 2012 Share Posted June 13, 2012 I also agree with ManiacDan: that statement is more for like if you were wanting to setup some kind of communication system with someone, you would be adding an extra layer (php) into the mix, thus opening up more possibilities for potential attacks. It's the same working principle that the more hoops you have to jump through, more points you have to go through to get from sender to receiver, the more opportunity to find and exploit a hole. So that statement isn't really applicable for wanting to hash a password to be stored. ... Link to comment https://forums.phpfreaks.com/topic/264045-c-in-php/#findComment-1353368 Share on other sites More sharing options...
boompa Posted June 13, 2012 Share Posted June 13, 2012 Quote How about the stronger bcrypt? phpass supports bcrypt as its default hashing method. Link to comment https://forums.phpfreaks.com/topic/264045-c-in-php/#findComment-1353443 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.