Linux PHP Programming Security 程式設計 資訊安全

[PHP] Be discreet to use crypt function

Recently, the PHP’s crypt function crashed in my designed new system. In fact, in my database design, the length of password field is 64. It ran fine at CentOS 5.5 with PHP 5.2.x. However, when I moved this system to Debian 7.3.0 with PHP 5.4.x, it was failed to generate the password.

In CentOS 5.5, it used MD5 as default crypt function and the php’s crypt also did (CRYPT_MD5). The MD5 hash generates 34 characters including 12 prefix salt characters like “$1$ … $”and 22 hashed characters in base64 encoding (128 digits / 6 bits_per_characters := 22 characters ), so the legnth of hashed password is enough with the field size = 64.

Unfortunately, the new operating system uses SHA512 crypt function as default crypto scheme and PHP’s crypt function also accepts the crypto scheme as default. In the default setting, the SHA512 hash function generates 102 characters including 16 prefix salt characters like “$6$…$” and 86 hashed characters in based64 encoding (512 digits / 6 bits_per_characters := 86 ). Therefore, it has no extra data length to save whole 102 characters because of the default field size is 64. Finally, the password verifier is also failed. 🙁

REFERENCE

  1. PHP: crypt function.[Recommend]
  2. Wiki: MD5
  3. Linux Programmer’s Manual : Crypt (3) [Recommend]
  4. What is the output length of PHP crypt()?

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top