How to get a consistent return using hash_hmac()

Question

I am getting a different password key returned with hash_hmac() for the key generated at registration and the key returned at login using the exact same code.

The code use at registration is:

$hash_key = 'mL993nHbLJe8dOeC242A8W'; 
    $hmac = hash_hmac('sha256', $pass, $hash_key); 
    $hmac = substr($hmac, 0, 50);

and the code used to create the key to compare to is:

$hash_key = 'mL993nHbLJe8dOeC242A8W'; 
    $hmac = hash_hmac('sha256', $pass, $hash_key); 
    $hmac = substr($hmac, 0, 50);

Here is what is being returned:

53bccd32d23baf691bf9c0a01b0deaa079107a72b72f4a4c08 --- Pass Key Generated by Login
4c30997095ad3f061246ff22d096d3537f1d9d22653f533653 --- Pass Key Retrieved which was Generated at Registration

I am using the substr($hmac, 0, 50); which varies with each registration but always returns a 50 count. Not sure if this is a good idea or not, perspectives are welcomed, but the same issue occurs with or without the substr($hmac, 0, 50);.

I have also tried sha512 with the same issue.

The above code worked for me on wamp on my computer but when uploaded to a share host the above mention problem occurred. Assitance is appreciated,

Pete

What kind of setup your host has? I am using LAMP (Linux Mint 17.1, Apache2, latest stable php) and it returns just fine for me. — Siim Kallari, Jun 21 '15 at 14:01
(Operating System:linux - Apache: 2.2.29 - PHP: 5.4.40) The site is hosted at Hostmonster (Bluehost) not sure of the exact linux — petebolduc, Jun 21 '15 at 14:08
Maybe something from here? http://stackoverflow.com/questions/362461/why-would-hmac-sha-1-return-a-different-digest-with-the-same-input?answertab=votes#tab-top specially the part that goes for character encoding part. — Siim Kallari, Jun 21 '15 at 14:15

score 2 · Accepted Answer · answered Jun 21 '15 at 21:21

2

ISSUE RESOLVED...

After an all day struggle with this issue it was resolved with wrapping $pass in a trim($pass) php function. Go figure. Thanks for all who took the time to assist with input.

Pete

answered Jun 21 '15 at 21:21

petebolduc

1,233
1
13
20

1

I too was faced with the same problem yesterday, but after telling myself to read the manual http://us3.php.net/manual/en/function.mcrypt-encrypt.php quickly found what the issue was; having to pad zero bytes. I was lucky, I only racked my brain for a 1/2 hour, and telling myself before that: *"Hey, this should work, my logic is right."* - well well well, zero byte addition bit me, but I bit back. Glad to see yours was resolved also, *cheers*. – Funk Forty Niner Jun 21 '15 at 22:23
Quoted from one of the user entries: *Also, rtrim($decryptedtext, "\0") would be a better option to remove NULL padding than my lazy trim()...* which is what I used to resolve my problem. Upon viewing my HTML source, saw those zero bytes. – Funk Forty Niner Jun 21 '15 at 22:26
Being self taught often time you only learn of something when you run into the problem... I had no idea there was even such a thing as Null Padding or zero bites... lol I didn't even know what I fixed with `trim()` until your comment... Thanks for the input. – petebolduc Jun 21 '15 at 23:45
Same thing for me also Pete, and when things don't add up when they should, well... the manuals are usually are pretty good place to start. Why I decided to view my HTML source, must've been instinct. Cheers, and you're welcome. P.s.: On an added note, [the manual](http://us3.php.net/manual/en/function.mcrypt-encrypt.php) states: *The data that will be encrypted with the given cipher and mode. If the size of the data is not n * blocksize, the data will be padded with '\0'.* – Funk Forty Niner Jun 22 '15 at 01:02

How to get a consistent return using hash_hmac()

1 Answers1