Impossible tri-bar

Digital Phenomena - Your first stop for internet consultancy 
Encryption Tutorial — Lesson 2
Lesson 2

by Julie Meloni

Page 1 — Hashes and One-Way Encryption

"One-way encryption? What's the point?" you may say. Well, not being able to decrypt something is sometimes a good thing. When you create a hash, you're only creating a digital summary of the string or file in question. You're not encrypting the string or file, and therefore the string or file can't be decrypted. On most systems, passwords are stored as hashes, so should someone break into your system and grab your password file, said rogue user doesn't necessarily have your passwords, just hashes of the passwords.

This begs the questions "Well then, how does the system match my password when I enter 'banana' and it has stored 'ZTkvRRZNsOUik' in the password file?" It's simple (for once, a simple explanation!): When you enter the password, the system will hash the input, and attempt to match this hashed input to the hash it has stored in the password file. If the two hashes match, you're allowed in.

For more information about the concept of hashing algorithms, a good place to start is with the "What is a Hash Function" section of the RSA Labs Crypto FAQ.

Hashes are used not only in password-matching situations, but also to ensure that the integrity of a file has not become compromised, meaning it hasn't changed in any way. If you have a file that contains the string "10000" and the string changes to "10001," the resulting hash will be very different.

PHP has one hash function already built-in, md5(). But if you download and install the mhash library, from http://sasweb.de/mhash/, then compile PHP using the --with-mhash configuration option, and you will have access to additional hashing algorithms besides MD5, such as SHA1, HAVAL, TIGER, GOST and others.

When PHP is compiled using the --with-mhash configuration option, the following PHP functions are among those included:

  • mhash — compute the hash of a string (or file)
  • mhash_get_block_size — provides the block size of a given hash
  • mhash_get_hash_name — provides the full name of a given hash

Extended descriptions and user annotations on the mhash functions are part of the PHP Manual. The installation of the mhash library is:

  1. download *.tar.gz file
  2. gunzip the *.gz file
  3. tar -xvf the *.tar file
  4. cd mhash*
  5. ./configure --disable-pthreads
  6. make
  7. make install

NOTE: The configuration flag "--disable-pthreads" has shown to be the key in making Apache, PHP, and the mhash library work without a hitch. Your mileage may vary. Be sure to check the PHP mailing list archives if you have any problems with installation.

The following script example shows the use of some mhash functions. I plan to create a hash of the fourth paragraph of this section, the text beginning with "Hashes are used not only ..." (how very secret!).

First, put the contents of a file or a string into a variable. I called mine $to_hash, because I'm descriptive and verbose:

$to_hash = "Hashes are used not only in password-matching situations, but also to ensure that the integrity of a file has not become compromised, meaning it hasn't changed in any way. If you have a file that contains the string \"10000\" and the string changes to \"10001,\" the resulting hash will be very different.";

Be sure to escape any quotation marks or other special characters in your string!

Next, create a variable containing the hash name. I'm using MHASH_TIGER in this example:

$hash_to_use = MHASH_TIGER;

Now create the hash, by assigning the value of the output of the mhash() function to a variable. I used $hash_of_string as my variable name. The mhash() function takes two arguments: the hash to use and the string to hash.

$hash_of_string = mhash($hash_to_use, $to_hash);

You'd think that was it, wouldn't you? Just echo back the value of $hash_of_string and you're done? Not true. Hashes are binary, which means the stuff in $hash_of_string is binary data. If you echo it back to the screen, you'll see a bunch of crappy characters, which is your browser attempting to display binary data. Instead, use the handy bin2hex() function, which converts binary data to hexadecimal:

echo "<p>The hash of that big paragraph is " . bin2hex($hash_of_string) . "</p>";

Finally, some more information, just to show that the mhash_get_hash_name() and mhash_get_block_size() functions really work:

$hash_name = mhash_get_hash_name($hash_to_use);
$hash_block_size = mhash_get_block_size($hash_to_use);

echo "<p>Hash Name: $hash_name</p>";
echo "<p>Hash Block Size: $hash_block_size</p>";

So, from top to bottom, here's a sample mhash script:

<?

$to_hash = "Hashes are used not only in password-matching 
situations, but also to ensure that the integrity of a 
file has not become compromised, meaning it hasn't changed 
in any way.  If you have a file that contains the string 
\"10000\" and the string changes to \"10001,\" the resulting 
hash will be very different.";

$hash_to_use = MHASH_TIGER;

$hash_of_string = mhash($hash_to_use, $to_hash);


echo "<p>The hash of that big paragraph is " . 
bin2hex($hash_of_string) .  "</p>";

$hash_name = mhash_get_hash_name($hash_to_use);
$hash_block_size = mhash_get_block_size($hash_to_use);

echo "<p>Hash Name: $hash_name</p>";
echo "<p>Hash Block Size: $hash_block_size</p>";


?>
The output of this particular script is:

The hash of that big paragraph is 582cc28f78c2d87c4d6c9b16978d31c80b8e0d6fd87d61f2

Hash Name: TIGER

Hash Block Size: 24

Fun, isn't it? Now, what happens if I change one character in the string $to_hash? Suppose I changed the two numbers to "99999" and "55555"? The new hash is: 93dcdcaa1b6dc4e7b0ec3121aae7acc29d530267f1fa949e, which is vastly different from the original, and all I did was change two numbers! Obviously, hash functions are very useful in determining if a file or string has changed.

next page»


|Home|About Us|Services|Search|
|Software|Products|Support|Links|Latest|
W3C validatedW3C validated CSSCompatible with all browsers