What we mainly learn today is the use of some Hash hash encryption-related extension functions in PHP, not Hash algorithm, this kind of encryption is actually just a more complex key algorithm. Similar to the Hash algorithm, the string we input has its corresponding Hash hash value just like a Hash table. The essence The above is the same as the Hash key-value mapping in ordinary data structures, but the algorithm is more complex. In fact, as long as you have done PHP development for a period of time, you will definitely be familiar with two functions, which are md5() and sha1(). These two functions are to generate Hash encryption of md5 and sha1 algorithms respectively. However, what we are learning today is more complex than these two functions, and the algorithm form is also richer.
What is Hash information digest algorithm
Usually, after we input a piece of content into a Hash function, the returned hash string is the Hash information digest of the input value. In PHP, the same input will produce the same result, whether it is md5 or sha1. Therefore, when saving user password information, we try not to use only one layer of Hash, because this form of encryption can be cracked through brute force through rainbow tables. We can hash the password in multiple layers and add salt to complicate the hash value.
Of course, the Hash algorithm is not limited to the commonly used md5 and sha1. There are many other types of algorithms, but we do not commonly use them. However, the functions introduced today are just a set of functions that can perform many different types of Hash encryption. They have been integrated into the default environment in PHP. We do not need a separate extension to use it. In this way, it is for our Encrypted data diversification brings more convenience.
Hash algorithms supported by PHP
print_r(hash_algos());
// Array
// (
// [0] => md2
// [1] => md4
// [2] => md5
// [3] => sha1
// [4] => sha224
// [5] => sha256
// [6] => sha384
// [7] => sha512/224
// [8] => sha512/256
// [9] => sha512
// [10] => sha3-224
// [11] => sha3-256
// [12] => sha3-384
// [13] => sha3-512
// [14] => ripemd128
// [15] => ripemd160
// [16] => ripemd256
// [17] => ripemd320
// [18] => whirlpool
// [19] => tiger128,3
// [20] => tiger160,3
// [21] => tiger192,3
// [22] => tiger128,4
// [23] => tiger160,4
// [24] => tiger192,4
// [25] => snefru
// [26] => snefru256
// [27] => gost
// [28] => gost-crypto
// [29] => adler32
// [30] => crc32
// [31] => crc32b
// [32] => fnv132
// [33] => fnv1a32
// [34] => fnv164
// [35] => fnv1a64
// [36] => joaat
// [37] => haval128,3
// [38] => haval160,3
// [39] => haval192,3
// [40] => haval224,3
// [41] => haval256,3
// [42] => haval128,4
// [43] => haval160,4
// [44] => haval192,4
// [45] => haval224,4
// [46] => haval256,4
// [47] => haval128,5
// [48] => haval160,5
// [49] => haval192,5
// [50] => haval224,5
// [51] => haval256,5
// )
$data = "我们来测试一下Hash算法!";
foreach (hash_algos() as $v) {
$r = hash($v, $data);
echo $v, ':', strlen($r), '::', $r, PHP_EOL;
}
// md2:32::3d63d5f6ce9f03379fb3ae5e1436bf08
// md4:32::e9dc8afa241bae1bccb7c58d4de8b14d
// md5:32::2801b208ec396a2fc80225466e17acac
// sha1:40::0f029efe9f1115e401b781de77bf1d469ecee6a9
// sha224:56::3faf937348ec54936be13b63feee846d741f8391be0a62b4d5bbb2c8
// sha256:64::8f0bbe9288f6dfd2c6d526a08b1fed61352c894ce0337c4e432d97570ae521e3
// sha384:96::3d7d51e05076b20f07dad295b161854d769808b54b784909901784f2e76db212612ebe6fe56c6d014b20bd97e5434658
// ……
foreach (hash_hmac_algos() as $v) {
$r = hash_hmac($v, $data, 'secret');
echo $v, ':', strlen($r), '::', $r, PHP_EOL;
}
// md2:32::70933e963edd0dcd4666ab9253a55a12
// md4:32::d2eda43ee4fab5afc067fd63ae6390f1
// md5:32::68bf5963e1426a1feff8149da0d0b88d
// sha1:40::504bc44704b48ac75435cdccf81e0f056bac98ba
// sha224:56::8beaf35baedc2cd5725c760ec77d119e3373f14953c74818f1243f69
// sha256:64::23f2e6685fe368dd3ebe36e1d3d672ce8306500366ba0e8a19467c94e13ddace
// sha384:96::740ce7488856737ed57d7b0d1224d053905661ffca083c02c6a9a9230499a4a3d96ff0a951b8d03dbafeeeb5c84a65a6
// ……
Through the hash_algos() and hash_hmac_algos() functions, we can get all the Hash algorithms supported in the current PHP environment, and we can see the familiar md5 and sha1, you can also see md2, sha224, ripemd320, fnv1a64 and other rarely seen algorithms. Then by traversing the contents returned by these two functions, and using the hash() and hash_hmac() functions to hash the data and view their contents, we can find that each algorithm can successfully return different encrypted information digests, and There are different digits.
hmac related function is another form of PHP's Hash algorithm. It is an algorithm that requires a key, which is the third parameter of hash_hmac(). Only if the input content is the same and the key is the same will the result returned be the same. In other words, this function can be used for symmetrically encrypted information transfer verification tokens. For example, if the interface intercommunication between two systems requires a fixed token, you can use this function to achieve it.
Comparison with md5() and sha1()
This hash() function is so powerful, so is the content it generates the same as md5?
// 与 md5 sha1 函数对比
echo hash('md5', '我们来测试一下Hash算法!'), PHP_EOL;
echo md5('我们来测试一下Hash算法!'), PHP_EOL;
// 2801b208ec396a2fc80225466e17acac
// 2801b208ec396a2fc80225466e17acac
echo hash('sha1', '我们来测试一下Hash算法!'), PHP_EOL;
echo sha1('我们来测试一下Hash算法!'), PHP_EOL;
// 0f029efe9f1115e401b781de77bf1d469ecee6a9
// 0f029efe9f1115e401b781de77bf1d469ecee6a9
echo hash('fnv164', '我们来测试一下Hash算法!'), PHP_EOL;
// b25bd7371f08cea4
Of course there is no doubt about this. I even feel that the two functions md5() and sha1() themselves are syntactic sugar for the hash() function. Because these two algorithms are so commonly used, PHP directly encapsulates the two current functions for us, and they only require one parameter, which is very simple and convenient.
File HASH
In many download sites, the Hash value of the downloaded file will be provided for us to perform verification and comparison to determine whether the downloaded file is complete and identical. This is the application of file Hash. In fact, to put it bluntly, it is just a summary of the information about the file obtained after hashing the file content. This set of functions is of course also perfectly supported in our PHP.
/ 文件 HASH
echo hash_file('md5', './create-phar.php'), PHP_EOL;
echo md5_file('./create-phar.php'), PHP_EOL;
// ba7833e3f6375c1101fb4f1d130cf3d3
// ba7833e3f6375c1101fb4f1d130cf3d3
echo hash_hmac_file('md5', './create-phar.php', 'secret'), PHP_EOL;
// 05d1f8eb7683e190340c04fc43eba9db
HASH algorithm of hkdf and pbkdf2
The two algorithms introduced next are two special Hash algorithms. Similar to hmac, but more complex than hmac.
// hkdf pbkdf2 算法
// 算法 明文密码(原始二进制) 输出长度 应用程序/特定于上下文的信息字符串 salt值
$hkdf1 = hash_hkdf('sha256', '123456', 32, 'aes-256-encryption', random_bytes(2));
$hkdf2 = hash_hkdf('sha256', '123456', 32, 'sha-256-authentication', random_bytes(2));
var_dump($hkdf1);
var_dump($hkdf2);
// string(32) "ԇ`q��X�l�
// f�y��}Ozb+�"
// string(32) "%���]�+̀�\JdG��HL��GK��
// -"
// 算法 明文密码 salt值 迭代次数 数据长度
echo hash_pbkdf2("sha256", '123456', random_bytes(2), 1000, 20), PHP_EOL;
// e27156f9a6e2c55f3b72
hmac only requires a key, hash_hkdf() adds three parameters: return length, application/context-specific information string, and salt value, and encrypted content It’s binary encrypted content, doesn’t it feel very high-end? Hash_pbkdf2() adds three parameters: salt value, number of iterations and data length, and is also a good helper for password encryption. But relatively speaking, their use is more complicated. If it is a password with very high security requirements, you can use these two functions.
hash_equals() function performs Hash comparison
PHP also provides us with a function to compare whether Hash values are equal. Some friends may ask, since the summary information in the form of a string is returned, wouldn't it be enough to simply ===? Why do we need a special function to compare? Don't worry, let's look at the code first.
// hash_equals 比较函数
$v1 = hash('md5', '测试对比');
$v2 = hash('md5', '测试对比');
$v3 = hash('md5', '测试对比1');
// 比较两个字符串,无论它们是否相等,本函数的时间消耗是恒定的
// 本函数可以用在需要防止时序攻击的字符串比较场景中, 例如,可以用在比较 crypt() 密码哈希值的场景
var_dump(hash_equals($v1, $v2));
var_dump(hash_equals($v1, $v3));
// bool(true)
// bool(false)
我在注释中已经写得很清楚了,hash_equals() 函数主要是可以防止时序攻击。一般来说,这个时序攻击就是根据你的系统运行时间长短来判断你的系统中使用了什么函数或者功能,这都是非常厉害的黑客高手玩的东西。比如说,我们比较用户密码的时候,假设是一位一位的进行比较,那么如果第一个字符错了信息很快就会返回,而如果比较到最后一个才错的时候,程序运行时间就会长很多,黑客就可以根据这个时长来判断当前暴力破解的内容是否一步步达到目标,也让破解难度逐步下降。(普通的字符串比较 === 就是基于位移的)。而 hash_equals() 则是不管怎么比较,相同的 Hash 算法长度的内容返回的时间都是相同的。OpenSSL 、 OpenSSH 等软件都曾出现过这种类似的时序攻击漏洞!
当然,这个我们只做了解即可,同样也是对于安全性有特殊要求的一些项目,就可以使用这个函数来避免出现这种时序攻击的漏洞提高系统安全性。
增量 Hash 操作
最后我们要学习的是一套增量 Hash 的操作函数。其实对于字符串来说,大部分情况下我们直接将字符串拼接好再 Hash 就可以了,并不太需要增量 Hash 的能力。但是如果是对于多个文件或者读写流来说,想要获得多文件的 Hash 值,就可以使用这一套增量 Hash 函数来进行操作了。
// 增量 HASH
$fp = tmpfile();
fwrite($fp, '初始化一个流文件');
rewind($fp);
$h1 = hash_init('md5'); // 开始增量 Hash
hash_update($h1, '测试增量'); // 普通字符串
hash_update_file($h1, './create-phar.php'); // 文件
hash_update_stream($h1, $fp); // 流
$v1 = hash_final($h1); // 结束 Hash 返回结果
echo $v1, PHP_EOL;
// 373df6cc50a1d7cd53608208e91be1e7
$h2 = hash_init('md5', HASH_HMAC, 'secret'); // 使用 HMAC 算法的增量 HASH
hash_update($h2, '测试增量');
hash_update_file($h2, './create-phar.php');
hash_update_stream($h2, $fp);
$v2 = hash_final($h2);
echo $v2, PHP_EOL;
// 34857ee5d8b573f6ee9ee20723470ea4
我们使用 hash_init() 来获得一个增量 Hash 操作句柄并指定好加密算法。然后使用 hash_update() 添加字符串、使用 hash_update_file() 增加文件内容,使用 hash_update_stream() 来增加流内容,最后使用 hash_final() 结束句柄操作进行 Hash 计算并返回结果值。得到的结果值就是包含字符串、文件和流内容一起 Hash 的结果。
推荐学习:《PHP视频教程》
总结
说实话,在没有学习今天的内容之前,我也一直以为 PHP 里面只有 md5 和 sha1 这两种 Hash 算法呢。这回真是大开了眼界,我们不仅拥有丰富的算法库,而且还有很多方便的操作函数能够帮助我们方便的使用这些算法,不多说了,学习继续!
测试代码:
https://github.com/zhangyue0503/dev-blog/blob/master/php/202007/source/PHP%E7%9A%84Hash%E4%BF%A1%E6%81%AF%E6%91%98%E8%A6%81%E6%89%A9%E5%B1%95%E6%A1%86%E6%9E%B6.php
