Re: [PHP] other mhash hashes
Burhan Khalid wrote: ... David: You should really post this at the mhash manual entry in php.net. I'm sure others would find it useful. Good find :) Cheers, Burhan [ snippity snip snip ] Agreed! I found it very, very useful. -- Teach a man to fish... NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-generalw=2 STFM | http://www.php.net/manual/en/index.php STFW | http://www.google.com/search?q=php LAZY | http://mycroft.mozdev.org/download.html?name=PHPsubmitform=Find+search+plugins signature.asc Description: OpenPGP digital signature
Re: [PHP] other mhash hashes
Burhan Khalid wrote: David Norman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I thought some other people would be interested in the other hashes that you can do with mhash that aren't on the php.net docs after the recent news that SHA-1 might be weaker than previously thought: http://www.schneier.com/blog/archives/2005/02/sha1_broken.html Before we get a hundred posts about SHA-1 being broken would eveyrbody please read: http://nuglops.com/blog/index.php?p=1021 and maybe *ALL* the contributions way down at the bottom of the original post link? You're still looking at thousands of years or millions of dollars to break SHA-1 if you want to start TODAY. The wise reader will put Upgrade to SHA-256 on their ToDo list and go back to work now. :-) Though I did find the post to add meta-data such as the character distribution to the hash interesting... The odds on a SHA-1 being the same for two plain-texts *AND* having the same number of E's in the plain-texts? Really really really low, seems to me. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] other mhash hashes
Richard Lynch wrote: ... http://www.schneier.com/blog/archives/2005/02/sha1_broken.html Before we get a hundred posts about SHA-1 being broken would eveyrbody please read: http://nuglops.com/blog/index.php?p=1021 and maybe *ALL* the contributions way down at the bottom of the original post link? Why do you always have to ruin our fun, Richard? Do you have something against Chicken Little? :) You're still looking at thousands of years or millions of dollars to break SHA-1 if you want to start TODAY. The wise reader will put Upgrade to SHA-256 on their ToDo list and go back to work now. :-) Exactly. While I'm not sure about the time it would take to actually make use of the exploit found, it is certainly a long enough period of time that I'm not going to worry about it any time soon. Even with a significant increase in CPU performance it's going to be a while before this is a concern. Though I did find the post to add meta-data such as the character distribution to the hash interesting... I believe this is being reviewed as a possible addition to the OpenPGP standard. Then again I am no crypto expert (nor do I pretend to be, that stuff makes my head spin!). I am getting a bit OT here, but for those of you that use code that implements OpenPGP then you might want to read this: http://www.pgp.com/library/ctocorner/openpgp.html Short version: be careful about automatically decrypting OpenPGP messages; if you do this it is possible for your private key to be easily compromised. The odds on a SHA-1 being the same for two plain-texts *AND* having the same number of E's in the plain-texts? Really really really low, seems to me. -- Teach a man to fish... NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-generalw=2 STFM | http://www.php.net/manual/en/index.php STFW | http://www.google.com/search?q=php LAZY | http://mycroft.mozdev.org/download.html?name=PHPsubmitform=Find+search+plugins signature.asc Description: OpenPGP digital signature
[PHP] other mhash hashes
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I thought some other people would be interested in the other hashes
that you can do with mhash that aren't on the php.net docs after the
recent news that SHA-1 might be weaker than previously thought:
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
The built in constants that the mhash docs have listed are simply
integers that tell mhash what to use. So I found the integers in
mhash's mhash.h:
http://cvs.sourceforge.net/viewcvs.py/mhash/mhash/lib/mhash.h?rev=1.25view=auto
The following works for alternate hashes in the Win32 PHP 5.0.3
release of libmhash.h. For anyone wanting a step up from SHA-1, SHA256
works.
$hashes = array('CRC32' = 0,
~ 'CRC32B' = 9,
~ 'ADLER32' = 18,
~ 'MD4' = 16,
~ 'MD5' = 1,
~ 'RIPEMD160' = 5,
~ 'SHA1' = 2,
~ 'SHA256' = 17,
~ 'HAVAL128' = 13,
~ 'HAVAL160' = 12,
~ 'HAVAL192' = 11,
~ 'HAVAL224' = 10,
~ 'HAVAL256' = 3,
~ 'TIGER128' = 14,
~ 'TIGER160' = 15,
~ 'TIGER192' = 7,
~ 'GOST' = 8);
foreach($hashes as $name = $number) {
~echo 'br /';
~echo $name, ': ', bin2hex(mhash($number, 'this is a test'));
}
or as PHP constants:
$hashes = array('CRC32' = MHASH_CRC32,
~ 'CRC32B' = MHASH_CRC32B,
~ 'ADLER32' = MHASH_ADLER32,
~ 'MD4' = MHASH_MD4,
~ 'MD5' = MHASH_MD5,
~ 'RIPEMD160' = MHASH_RIPEMD160,
~ 'SHA1' = MHASH_SHA1,
~ 'SHA256' = MHASH_SHA256,
~ 'HAVAL128' = MHASH_HAVAL128,
~ 'HAVAL160' = MHASH_HAVAL160,
~ 'HAVAL192' = MHASH_HAVAL192,
~ 'HAVAL224' = MHASH_HAVAL224,
~ 'HAVAL256' = MHASH_HAVAL256,
~ 'TIGER128' = MHASH_TIGER128,
~ 'TIGER160' = MHASH_TIGER160,
~ 'TIGER192' = MHASH_HAVAL192,
~ 'GOST' = MHASH_GOST);
foreach($hashes as $name = $number) {
~echo 'br /';
~echo $name, ': ', bin2hex(mhash($number, 'this is a test'));
}
I suspect if you were able to compile a more recent version of mhash,
the following complete list of mhash's hashes would work, including
SHA512 and WHIRLPOOL.
$hashes = array('CRC32' = 0,
~ 'CRC32B' = 9,
~ 'ADLER32' = 18,
~ 'MD2' = 27,
~ 'MD4' = 16,
~ 'MD5' = 1,
~ 'RIPEMD160' = 5,
~ 'RIPEMD128' = 22,
~ 'RIPEMD256' = 23,
~ 'RIPEMD320' = 24,
~ 'SHA1' = 2,
~ 'SHA224' = 19,
~ 'SHA256' = 17,
~ 'SHA384' = 21,
~ 'SHA512' = 20,
~ 'HAVAL128' = 13,
~ 'HAVAL160' = 12,
~ 'HAVAL192' = 11,
~ 'HAVAL224' = 10,
~ 'HAVAL256' = 3,
~ 'TIGER128' = 14,
~ 'TIGER160' = 15,
~ 'TIGER192' = 7,
~ 'GOST' = 8,
~ 'WHIRLPOOL' = 21,
~ 'SNEFRU128' = 25,
~ 'SNEFRU256' = 26);
foreach($hashes as $name = $number) {
~echo 'br /';
~echo $name, ': ', bin2hex(mhash($number, 'this is a test'));
}
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCEtHtqLBH+DmBuAIRAhN1AJ9YjaYRNP7d1FVp9zLXNDlBAeWvUQCgutlh
7d+AAPjv1Kh3rWiqld654DE=
=dhyN
-END PGP SIGNATURE-
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] other mhash hashes
David Norman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I thought some other people would be interested in the other hashes that you can do with mhash that aren't on the php.net docs after the recent news that SHA-1 might be weaker than previously thought: http://www.schneier.com/blog/archives/2005/02/sha1_broken.html The built in constants that the mhash docs have listed are simply integers that tell mhash what to use. So I found the integers in mhash's mhash.h: http://cvs.sourceforge.net/viewcvs.py/mhash/mhash/lib/mhash.h?rev=1.25view=auto The following works for alternate hashes in the Win32 PHP 5.0.3 release of libmhash.h. For anyone wanting a step up from SHA-1, SHA256 works. David: You should really post this at the mhash manual entry in php.net. I'm sure others would find it useful. Good find :) Cheers, Burhan [ snippity snip snip ] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
