Re: [PHP-DEV] [VOTE] Hash_pbkdf2

Mon, 02 Jul 2012 19:37:52 -0700 

On Mon, Jul 2, 2012 at 5:49 PM, Anthony Ferrara <ircmax...@gmail.com> wrote:

> Sara,
>
> On Mon, Jul 2, 2012 at 8:24 PM, Sara Golemon <poll...@php.net> wrote:
> > I'd like to see hash_init() support this mode as well (for completeness).
> >  Perhaps something like the following:
> >
> > $ctx = hash_init("sha512", HASH_PBKDF2, $salt, array('length' => 32,
> > 'iterations' => 5000));
> >
> > The new fourth parameter being an overloadable options generic so that we
> > don't have an endless list of parameters for all the possible hashing
> types.
>
> The only problem that I have with this sort of implementation is that
> the only way it would work is to buffer the entire input (each
> hash_update call), and run it all at the end. That's because the data
> (password) is used in every iteration, so there's no pre-computation
> that can be done. And at that point, what's the benefit to it?
>
> public function pbkdf2($algo, $password, $salt, $iterations, $length) {
>         $size   = getHashBlockSize($hash);
>         $len    = ceil($length / $size);
>         $result = '';
>         for ($i = 1; $i <= $len; $i++) {
>             $tmp = hash_hmac($hash, $salt . pack('N', $i), $password,
> true);
>             $res = $tmp;
>             for ($j = 1; $j < $iterations; $j++) {
>                 $tmp  = hash_hmac($hash, $tmp, $password, true);
>                 $res ^= $tmp;
>             }
>             $result .= $res;
>         }
>         return substr($result, 0, $length);
>     }
>
> Contrast that to a normal hash function (used by the current
> hash_init) which iterates over blocks of input, and once it's done
> with a block, it doesn't need it anymore (which is where using
> something like hash_init/hash_update can make sense on large input).
>
> Additionally, hmac only uses the message in a single hash, so it can
> be streamed in as well (pre-compute the earlier hashes/data, stream
> the intermediate hash, then hash the final one).
>
> So while it could be added (just make hash_update buffer into a
> context, then have hash_final actually run the derivation), I'm not
> sure it makes sense to add it there.
>
> Thoughts?
>
> Anthony
>

Ah, wasn't clear on how pbkdf2 worked.  Your argument makes total sense.
Thanks for explaining it. :)

Reply via email to