Re: [PHP] other mhash hashes
Burhan Khalid wrote: ... David: You should really post this at the mhash manual entry in php.net. I'm sure others would find it useful. Good find :) Cheers, Burhan [ snippity snip snip ] Agreed! I found it very, very useful. -- Teach a man to fish... NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-generalw=2 STFM | http://www.php.net/manual/en/index.php STFW | http://www.google.com/search?q=php LAZY | http://mycroft.mozdev.org/download.html?name=PHPsubmitform=Find+search+plugins signature.asc Description: OpenPGP digital signature
Re: [PHP] other mhash hashes
Burhan Khalid wrote: David Norman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I thought some other people would be interested in the other hashes that you can do with mhash that aren't on the php.net docs after the recent news that SHA-1 might be weaker than previously thought: http://www.schneier.com/blog/archives/2005/02/sha1_broken.html Before we get a hundred posts about SHA-1 being broken would eveyrbody please read: http://nuglops.com/blog/index.php?p=1021 and maybe *ALL* the contributions way down at the bottom of the original post link? You're still looking at thousands of years or millions of dollars to break SHA-1 if you want to start TODAY. The wise reader will put Upgrade to SHA-256 on their ToDo list and go back to work now. :-) Though I did find the post to add meta-data such as the character distribution to the hash interesting... The odds on a SHA-1 being the same for two plain-texts *AND* having the same number of E's in the plain-texts? Really really really low, seems to me. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] other mhash hashes
Richard Lynch wrote: ... http://www.schneier.com/blog/archives/2005/02/sha1_broken.html Before we get a hundred posts about SHA-1 being broken would eveyrbody please read: http://nuglops.com/blog/index.php?p=1021 and maybe *ALL* the contributions way down at the bottom of the original post link? Why do you always have to ruin our fun, Richard? Do you have something against Chicken Little? :) You're still looking at thousands of years or millions of dollars to break SHA-1 if you want to start TODAY. The wise reader will put Upgrade to SHA-256 on their ToDo list and go back to work now. :-) Exactly. While I'm not sure about the time it would take to actually make use of the exploit found, it is certainly a long enough period of time that I'm not going to worry about it any time soon. Even with a significant increase in CPU performance it's going to be a while before this is a concern. Though I did find the post to add meta-data such as the character distribution to the hash interesting... I believe this is being reviewed as a possible addition to the OpenPGP standard. Then again I am no crypto expert (nor do I pretend to be, that stuff makes my head spin!). I am getting a bit OT here, but for those of you that use code that implements OpenPGP then you might want to read this: http://www.pgp.com/library/ctocorner/openpgp.html Short version: be careful about automatically decrypting OpenPGP messages; if you do this it is possible for your private key to be easily compromised. The odds on a SHA-1 being the same for two plain-texts *AND* having the same number of E's in the plain-texts? Really really really low, seems to me. -- Teach a man to fish... NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-generalw=2 STFM | http://www.php.net/manual/en/index.php STFW | http://www.google.com/search?q=php LAZY | http://mycroft.mozdev.org/download.html?name=PHPsubmitform=Find+search+plugins signature.asc Description: OpenPGP digital signature
[PHP] other mhash hashes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I thought some other people would be interested in the other hashes that you can do with mhash that aren't on the php.net docs after the recent news that SHA-1 might be weaker than previously thought: http://www.schneier.com/blog/archives/2005/02/sha1_broken.html The built in constants that the mhash docs have listed are simply integers that tell mhash what to use. So I found the integers in mhash's mhash.h: http://cvs.sourceforge.net/viewcvs.py/mhash/mhash/lib/mhash.h?rev=1.25view=auto The following works for alternate hashes in the Win32 PHP 5.0.3 release of libmhash.h. For anyone wanting a step up from SHA-1, SHA256 works. $hashes = array('CRC32' = 0, ~ 'CRC32B' = 9, ~ 'ADLER32' = 18, ~ 'MD4' = 16, ~ 'MD5' = 1, ~ 'RIPEMD160' = 5, ~ 'SHA1' = 2, ~ 'SHA256' = 17, ~ 'HAVAL128' = 13, ~ 'HAVAL160' = 12, ~ 'HAVAL192' = 11, ~ 'HAVAL224' = 10, ~ 'HAVAL256' = 3, ~ 'TIGER128' = 14, ~ 'TIGER160' = 15, ~ 'TIGER192' = 7, ~ 'GOST' = 8); foreach($hashes as $name = $number) { ~echo 'br /'; ~echo $name, ': ', bin2hex(mhash($number, 'this is a test')); } or as PHP constants: $hashes = array('CRC32' = MHASH_CRC32, ~ 'CRC32B' = MHASH_CRC32B, ~ 'ADLER32' = MHASH_ADLER32, ~ 'MD4' = MHASH_MD4, ~ 'MD5' = MHASH_MD5, ~ 'RIPEMD160' = MHASH_RIPEMD160, ~ 'SHA1' = MHASH_SHA1, ~ 'SHA256' = MHASH_SHA256, ~ 'HAVAL128' = MHASH_HAVAL128, ~ 'HAVAL160' = MHASH_HAVAL160, ~ 'HAVAL192' = MHASH_HAVAL192, ~ 'HAVAL224' = MHASH_HAVAL224, ~ 'HAVAL256' = MHASH_HAVAL256, ~ 'TIGER128' = MHASH_TIGER128, ~ 'TIGER160' = MHASH_TIGER160, ~ 'TIGER192' = MHASH_HAVAL192, ~ 'GOST' = MHASH_GOST); foreach($hashes as $name = $number) { ~echo 'br /'; ~echo $name, ': ', bin2hex(mhash($number, 'this is a test')); } I suspect if you were able to compile a more recent version of mhash, the following complete list of mhash's hashes would work, including SHA512 and WHIRLPOOL. $hashes = array('CRC32' = 0, ~ 'CRC32B' = 9, ~ 'ADLER32' = 18, ~ 'MD2' = 27, ~ 'MD4' = 16, ~ 'MD5' = 1, ~ 'RIPEMD160' = 5, ~ 'RIPEMD128' = 22, ~ 'RIPEMD256' = 23, ~ 'RIPEMD320' = 24, ~ 'SHA1' = 2, ~ 'SHA224' = 19, ~ 'SHA256' = 17, ~ 'SHA384' = 21, ~ 'SHA512' = 20, ~ 'HAVAL128' = 13, ~ 'HAVAL160' = 12, ~ 'HAVAL192' = 11, ~ 'HAVAL224' = 10, ~ 'HAVAL256' = 3, ~ 'TIGER128' = 14, ~ 'TIGER160' = 15, ~ 'TIGER192' = 7, ~ 'GOST' = 8, ~ 'WHIRLPOOL' = 21, ~ 'SNEFRU128' = 25, ~ 'SNEFRU256' = 26); foreach($hashes as $name = $number) { ~echo 'br /'; ~echo $name, ': ', bin2hex(mhash($number, 'this is a test')); } -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCEtHtqLBH+DmBuAIRAhN1AJ9YjaYRNP7d1FVp9zLXNDlBAeWvUQCgutlh 7d+AAPjv1Kh3rWiqld654DE= =dhyN -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] other mhash hashes
David Norman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I thought some other people would be interested in the other hashes that you can do with mhash that aren't on the php.net docs after the recent news that SHA-1 might be weaker than previously thought: http://www.schneier.com/blog/archives/2005/02/sha1_broken.html The built in constants that the mhash docs have listed are simply integers that tell mhash what to use. So I found the integers in mhash's mhash.h: http://cvs.sourceforge.net/viewcvs.py/mhash/mhash/lib/mhash.h?rev=1.25view=auto The following works for alternate hashes in the Win32 PHP 5.0.3 release of libmhash.h. For anyone wanting a step up from SHA-1, SHA256 works. David: You should really post this at the mhash manual entry in php.net. I'm sure others would find it useful. Good find :) Cheers, Burhan [ snippity snip snip ] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php