perl: using Digest::SHA3, using basic example from online, the bit value of the output puts it at 160, which says is a weak hash length(?)

Question

i am using the following code to learn/familiarize myself with one-way password encryption, salting, and using them to verify a user on log in.

it works, i store the hashed password and the salt value in my database, i can retrieve both and compare against the plain text password, no problem.

my question is about the output, how secure it is, etc.

use Digest::SHA3;

$plaintextpassword='cheeseburgerandfries';

$salts = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789";

$s1a = rand(62);
$s1b = rand(62);
$s1c = rand(62);
$salt = substr($salts,$s1a,1).substr($salts,$s1b,1).substr($salts,$s1c,1);

$sha1 = Digest::SHA3->new;
$sha1->add($salt.$plaintextpassword);
$encpw = $sha1->hexdigest;

which gives an output similar to

$encpw='7fd7d6e9b574fe6306be6c709d23050b5ad28f07e094403469229b6d'

when i take that value and run it through a text to bytes converter (online), i get

00110111 01100110 01100100 00110111 01100100 00110110 01100101 00111001 01100010 00110101
00110111 00110100 01100110 01100101 00110110 00110011 00110000 00110110 01100010 01100101
00110110 01100011 00110111 00110000 00111001 01100100 00110010 00110011 00110000 00110101
00110000 01100010 00110101 01100001 01100100 00110010 00111000 01100110 00110000 00110111
01100101 00110000 00111001 00110100 00110100 00110000 00110011 00110100 00110110 00111001
00110010 00110010 00111001 01100010 00110110 01100100

which i believe is 160 bits. as i'm really new to hashes and bits, i'm confused.

my thinking is SHA3 is 256 bit and up, so why is the output 160 bit. i may even be misinterpreting the data, or even the information that i'm gathering from research, so forgive me.

also, i'm certain there are easier/better/stronger/whatever ways to accomplish my goals, but i think my question is more along the lines of understanding bit length, etc.

also, i was reading that it may be best to use a salt value length equal to the output character length, meaning my salt value would be 56 characters just like my SHA3 output from above? i was thinking of using something rudimentary such as


$salts = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789";

$sv=0;

while ($sv<56) {

$s1 = rand(62);

$newsalt = $newsalt.substr($salts,$s1,1);

$sv++;
}

$salt = $newsalt;

i did read about some module(s) that would give me truly random salt values, and i am interested in those, but my while loop seems to be doing the task, however unnecessary having a 56 character salt value is.

any help and guidance would be sweet. thanks!

spewn

Re "*my while loop seems to be doing the task*", How did you come to that (false) conclusion. — ikegami, Jan 14 '21 at 05:52
my meaning is that i was looking for X amount of characters for my salt value, in my example it was 56 characters, but now looking, i may benefit from 32 bits / 4 bytes (4 chars?)...and my conclusion was that my while loop would output X number of random characters from the `$salts=` value. please enlighten me as to why my conclusion is false, or is it semantics that it doesn't truly create random characters? — spewn, Jan 14 '21 at 07:33
*any and all help is appreciated. i am trying to learn how to swim while (no pun) i'm already in the pool — spewn, Jan 14 '21 at 07:36
If you have a question about how properly resolve your security needs, feel free to ask that. I answered the Perl question you asked. If you intended to ask two different questions, now you know why that's a bad idea and not allowed — ikegami, Jan 14 '21 at 09:09

score 1 · Answer 1 · answered Jan 14 '21 at 05:48

The hash you were provided is 224 bits in size (not 160).

The module's abstract says

The module gives Perl programmers a convenient way to calculate SHA3-224, SHA3-256, SHA3-384, and SHA3-512 message digests, as well as variable-length hashes using SHAKE128 and SHAKE256.

Wikipedia confirms that these (224, 256, 384 and 512) are the standard sizes.

If you wish to get a specific size, use

use Digest::SHA3 qw( );

my $sha3 = Digest::SHA3->new(XXX)
$sha3->add(...);
my $hash = $sha3->hexdigest;

or

use Digest::SHA3 qw( sha3_XXX_hex );

my $hash = sha3_XXX_hex(...);

Use an appropriate number of bits instead of XXX.

geez, what a rookie i am! i counted the octlets incorrectly, and, yes, they do come out to 224. man! curiously, should i leave my code as is, or is 224 vs 256 worth adding the `(256)` to the `sha3->new`? i'll continue to research, i don't just like using code examples and leaving it be. lastly, what is the opinion of you (or anyone else) of having a longer salt value, and at what point is it just excess characters vs no extra security? thanks again! — spewn, Jan 14 '21 at 06:09

perl: using Digest::SHA3, using basic example from online, the bit value of the output puts it at 160, which says is a weak hash length(?)

1 Answers1