PHP5 hash function

[joebert]

Consider this situation.

A system is setup for logging in, the database stores hashes of passwords generated using the hash function.

The site moves to a new server where the previous hash_algo is not available.

What do you do ?

[logic_earth]

Either get it installed, a coded version, or find a new host.

[ServerStorm]

Do you understand what hashing algorithm you were using in the PHP Hash function? My guess is that you don't. The Hash PHP function was only supported as of PHP 5.1.2, however you may still be able to access the hashing algorithm (like MD5 or Sha256) but just not wrapped up in a native PHP Hash function - you can build it your-self. Are you sure that your hashing algorithm is not installed on the server? If your algorithm is not installed then, as Logic-Earth suggested you could ask if your ISP could install it - they may not be willing to upgrade their version of PHP but you may be able to convince them to install the algorithm you need and then you can roll your own hashing function.

ServerStorm

[joebert]

I'm not currently in this situation.

When I started this thread I was writing a class to benchmark the 30-somthing algorithms available on the box sitting next to me. Ranging from 8 byte CRC hashes to 128 byte SHA hashes.

Here's the class, it's a bit gnarly & at a point right in the middle of when I decided to start deriving an analysis base class from it, but you should be able to get the idea of what it's for.

I just had that thought, what would happen if someone used this to determine which algo to use for a system, then moved to another system & was faced with the issue outlined in my original post.

Code PHP:

<?php
class analysis
{
	protected $benchmarks = array();
	protected $options = array();
	public static function gen_strings($length = 1024, $count = 10)
	{
		$strs = array();
		for($i = 0; $i < $count; $i++)
		{
			$str = '';
			for($j = 0; $j < $length; $j++)
			{
				$str .= chr(rand(1, 100));
			}
			$strs[] = $str;
		}
		return $strs;
	}
	public static function sort_time($a, $b)
	{
		if($a['time'] == $b['time'])
		{
			return 0;
		}
		return ($a['time'] < $b['time']) ? -1 : 1;
	}
	public static function sort_length($b, $a)
	{
		if($a['length'] == $b['length'])
		{
			return self::sort_time($b, $a);
		}
		return ($a['length'] < $b['length']) ? -1 : 1;
	}
	public static function sort_score($b, $a)
	{
		if($a['score'] == $b['score'])
		{
			return self::sort_time($a, $b);
		}
		return ($a['score'] < $b['score']) ? -1 : 1;
	}
}
class hash_analysis extends analysis
{
	protected $options = array(
		'speed_weight' => 0.5,
		'length_weight' => 0.5,
		'min_hash_length' => 1,
		'max_hash_length' => 512,
		'test_count' => 10,
		'test_bytes' => 1024
	);
 
	public function __set($key, $val)
	{
		switch($key)
		{
			case 'speed_weight':
			case 'length_weight':
				$val = max(0, min(1, (float)$val));
			case 'speed_weight':
				$this->options['speed_weight'] = $val;
				$this->options['length_weight'] = 1 - $val;
			break;
			case 'length_weight':
				$this->options['length_weight'] = $val;
				$this->options['speed_weight'] = 1 - $val;
			break;
			case 'min_hash_length':
			case 'max_hash_length':
			case 'test_count':
			case 'test_bytes':
				$this->options[$key] = max(1, (int)$val);
			break;
			default:
				$this->options[$key] = $val;
			break;
		}
	}
	public function __get($key)
	{
		switch($key)
		{
			case 'hash_algos':
				$algos = array();
				foreach(hash_algos() as $algo)
				{
					$algos[$algo] = array();
				}
				return $algos;
			break;
			default:
				return isset($this->options[$key]) ? $this->options[$key] : false;
			break;
		}
	}
 
	public function __construct($options = array())
	{
		foreach($options as $key => $val)
		{
			$this->$key = $val;
		}
	}
	public function __toString()
	{
		$strs = parent::gen_strings($this->test_bytes, $this->test_count);
 
		$this->benchmarks = $this->hash_algos;
		foreach($this->benchmarks as $algo => $details)
		{
			$this->benchmarks[$algo] = array('algo' => $algo, 'time' => 0.00, 'hash' => '', 'length' => 0, 'score' => 0);
			foreach($strs as $str)
			{
				$start = microtime(true);
				$this->benchmarks[$algo]['hash'] = hash($algo, $str);
				$this->benchmarks[$algo]['time'] += (microtime(true) - $start);
			}
			$len = strlen($this->benchmarks[$algo]['hash']);
			if(($len <= $this->max_hash_length) && ($len >= $this->min_hash_length))
			{
				$this->benchmarks[$algo]['length'] = $len;
			}
			else
			{
				unset($this->benchmarks[$algo]);
			}
		}
 
		$count = sizeof($this->benchmarks); $i = $count;
		usort($this->benchmarks, array('hash_analysis', 'sort_time'));
		foreach($this->benchmarks as $algo => $details)
		{
			$this->benchmarks[$algo]['score'] = $i * $this->speed_weight;
			$i--;
		}
		$i = $count;
		usort($this->benchmarks, array('hash_analysis', 'sort_length'));
		foreach($this->benchmarks as $algo => $details)
		{
			$this->benchmarks[$algo]['score'] += $i * $this->length_weight;
			$i--;
		}
		usort($this->benchmarks, array('hash_analysis', 'sort_score'));
 
		$table = '<table class="hash_analysis" style="float:left;" border="1" cellpadding="2" cellspacing="1"><tr><th>Algo</th><th>Time</th><th>Length</th><th>Score</th></tr>';
		for($i = 0, $count = min(5,$count); $i < $count; $i++)
		{
			$table .= sprintf('<tr><td>%s</td><td>%s</td><td>%s</td><td>%s</td></tr>',
				$this->benchmarks[$i]['algo'],
				$this->benchmarks[$i]['time'],
				$this->benchmarks[$i]['length'],
				$this->benchmarks[$i]['score']
			);
		}
		return $table . '</table>';
	}
	public function algo_exists($hash_name = false)
	{
		return ($hash_name && isset($this->hash_algos[strtolower($hash_name)]));
	}
 
}
$options = array(
	'speed_weight'		=> 0.75,
	'max_hash_length'	=> 48
);
for($i = 0; $i<12; $i++)
{
	print new hash_analysis($options);
}
?>

[Seantyr]

Generate a new password for everyone using the new hashing algorithm and email them it.

[Czaries]

Yes, the only way is to just generate everyone a new password and send it to them. It's the easiest and quickest way to solve the problem.