1

I have an app that runs on PHP 5.3 which stores passwords hashed using PHP's crypt() function. However the hashing type (SHA 512) used is not available by default on one of the servers I'm now using which runs PHP 5.2. I've seen that with mcrypt you get a lot more flexibility but it's also more complicated to use.

Is it possible to use PHP's mcrypt functions to get the same results as with crypt (using a SHA512 salt)?

So if I input "test" with an SHA512 salt the encrypted data should be the same when using crypt() as well as when using mcrypt().

If it's not possible, can anyone give me advice on what else to do? Unfortunately upgrading to PHP 5.3 is not an option (it's a cloud server and I don't have the time to write the scripts for that).

Mark Amery
  • 143,130
  • 81
  • 406
  • 459
Naatan
  • 3,424
  • 4
  • 32
  • 51

2 Answers2

2

Can anyone tell me if it's possible to use php5's mcrypt function to get the same results as with crypt

No. Mcrypt provides functions for encryption and decryption. crypt, despite its deceptive name, provides functions for hashing. These are not the same task. Mcrypt does not provide any hashing functions, and the algorithm you want to use (SHA-512) is a hashing algorithm.

You cannot hash passwords with Mcrypt. That isn't its job. Its role and crypt's are different and do not overlap.

Mark Amery
  • 143,130
  • 81
  • 406
  • 459
0

Unfortunately MCrypt doesn't have the SHA512 cipher - you can take a look at the list of ciphers here:

http://www.php.net/manual/en/mcrypt.ciphers.php

Jack
  • 1,386
  • 1
  • 8
  • 17
  • I see, though I could probably switch to blowfish without too much trouble. The question would stay the same though, how can I use mcrypt to return me the same data crypt would? Seeing as crypt uses salts and mcrypt does not seem to do this. – Naatan Dec 02 '10 at 22:02
  • I wrote a small class and tutorial on how to use AES-128 if you would like - you can get it here: http://jservedio.com/article/1 – Jack Dec 02 '10 at 22:04
  • Thanks Jack, but I don't really want passwords to be decryptable. – Naatan Dec 02 '10 at 22:14
  • Ah - you can always use MD5? I know its POSSIBLE to reverse it, but using nested MD5 adds in that extra security (ex. md5(md5("plaintext")) ). The second MD5 seriously removes possibility of using a rainbow table to decrypt it. – Jack Dec 02 '10 at 22:24
  • You can also use the PECL Extension Hash at this link which supports SHA512 too! http://www.php.net/manual/en/book.hash.php – Jack Dec 02 '10 at 22:27
  • Thanks Jack, for now I'm using sha1.. which from what I've heard isn't all that different from md5. I use a salt stored in the DB alongside the password. I don't feel comfortable with it - I'd rather have used SHA512, but for now this will do. Here's to hoping my cloud service provider will be releasing an image that supports php5.3 soon. – Naatan Dec 02 '10 at 22:29