©
本文档使用
php.cn手册 发布
(PHP 4, PHP 5)
crypt — 单向字符串散列
$str
[, string $salt
] )crypt() 返回一个基于标准 UNIX DES 算法或系统上其他可用的替代算法的散列字符串。
salt
参数是可选的。然而,如果没有salt
的话, crype() 创建出来的会是弱密码。 php 5.6及之后的版本会在没有它的情况下抛出一个 E_NOTICE 级别的错误。为了更好的安全性,请确保指定一个足够强度的盐值。
password_hash() 使用了一个强的哈希算法,来产生足够强的盐值,并且会自动进行合适的轮次。 password_hash() 是 crypt() 的一个简单封装,并且完全与现有的密码哈希兼容。推荐使用 password_hash() 。
有些系统支持不止一种散列类型。实际上,有时候,基于 MD5 的算法被用来替代基于标准 DES 的算法。这种散列类型由盐值参数触发。在 5.3 之前,PHP 在安装时根据系统的 crypt() 决定可用的算法。如果没有提供盐值,PHP 将自动生成一个 2 个字符(DES)或者 12 个字符(MD5)的盐值 ,这取决于 MD5 crypt() 的可用性。PHP 设置了一个名为 CRYPT_SALT_LENGTH
的常量,用来表示可用散列允许的最长可用盐值。
基于标准 DES 算法的 crypt() 在输出内容的开始位置返回两个字符的盐值。它也只使用 str
的开始 8 个字符,所以更长的以相同 8 个字符开始的字符串也将生成相同的结果(当使用了相同的盐值时)。
在 crypt() 函数支持多重散列的系统上,下面的常量根据相应的类型是否可用被设置为 0 或 1:
CRYPT_STD_DES
- 基于标准 DES 算法的散列使用 "./0-9A-Za-z" 字符中的两个字符作为盐值。在盐值中使用非法的字符将导致 crypt() 失败。
CRYPT_EXT_DES
- 扩展的基于 DES 算法的散列。其盐值为 9 个字符的字符串,由 1 个下划线后面跟着 4 字节循环次数和 4 字节盐值组成。它们被编码成可打印字符,每个字符 6 位,有效位最少的优先。0 到 63 被编码为 "./0-9A-Za-z"。在盐值中使用非法的字符将导致 crypt() 失败。
CRYPT_MD5
- MD5 散列使用一个以 $1$ 开始的 12 字符的字符串盐值。
CRYPT_BLOWFISH
- Blowfish 算法使用如下盐值:“$2a$”,一个两位 cost 参数,“$” 以及 64 位由 “./0-9A-Za-z” 中的字符组合而成的字符串。在盐值中使用此范围之外的字符将导致 crypt() 返回一个空字符串。两位 cost 参数是循环次数以 2 为底的对数,它的范围是 04-31,超出这个范围将导致 crypt() 失败。
PHP 5.3.7 之前只支持 “$2a$” 作为盐值的前缀,PHP 5.3.7 开始引入了新的前缀来修正一个在Blowfish实现上的安全风险。可以参考» this document来了解关于这个修复的更多信息。总而言之,开发者如果仅针对 PHP 5.3.7及之后版本进行开发,那应该使用 “$2y$” 而非 “$2a$”
CRYPT_SHA256
- SHA-256 算法使用一个以 $5$ 开头的 16 字符字符串盐值进行散列。如果盐值字符串以 “rounds=<N>$” 开头,N 的数字值将被用来指定散列循环的执行次数,这点很像 Blowfish 算法的 cost 参数。默认的循环次数是 5000,最小是 1000,最大是 999,999,999。超出这个范围的 N 将会被转换为最接近的值。
CRYPT_SHA512
- SHA-512 算法使用一个以 $6$ 开头的 16 字符字符串盐值进行散列。如果盐值字符串以 “rounds=<N>$” 开头,N 的数字值将被用来指定散列循环的执行次数,这点很像 Blowfish 算法的 cost 参数。默认的循环次数是 5000,最小是 1000,最大是 999,999,999。超出这个范围的 N 将会被转换为最接近的值。
Note:
从 PHP 5.3.0 起,PHP 包含了它自己的实现,并将在系统缺乏相应算法支持的时候使用它自己的实现。
str
待散列的字符串。
使用 CRYPT_BLOWFISH
算法将导致str
被裁剪为一个最长72个字符的字符串。
salt
可选的盐值字符串。如果没有提供,算法行为将由不同的算法实现决定,并可能导致不可预料的结束。
返回散列后的字符串或一个少于 13 字符的字符串,从而保证在失败时与盐值区分开来。
当校验密码时,应该使用一个不容易被时间攻击的字符串比较函数来比较 crypt() 的输出与之前已知的哈希。出于这个目的,PHP5.6开始提供了 hash_equals() 。
版本 | 说明 |
---|---|
5.6.5 |
When the failure string "*0" is given as the
salt , "*1" will now be returned for consistency
with other crypt implementations. Prior to this version, PHP 5.6 would
incorrectly return a DES hash.
|
5.6.0 |
Raise E_NOTICE security warning if salt is omitted.
|
5.5.21 |
When the failure string "*0" is given as the
salt , "*1" will now be returned for consistency
with other crypt implementations. Prior to this version, PHP 5.5 (and
earlier branches) would incorrectly return a DES hash.
|
5.3.7 | Added $2x$ and $2y$ Blowfish modes to deal with potential high-bit attacks. |
5.3.2 | 基于 Ulrich Drepper 的» 实现,新增基于 SHA-256 算法和 SHA-512 算法的 crypt。 |
5.3.2 | 修正了 Blowfish 算法由于非法循环导致的问题,返回“失败”字符串(“*0” 或 “*1”)而不是转而使用 DES 算法。 |
5.3.0 | PHP 现在包含了它自己的 MD5 Crypt 实现,包括标准 DES 算法,扩展的 DES 算法以及 Blowfish 算法。如果系统缺乏相应的实现,那么 PHP 将使用它自己的实现。 |
Example #1 crypt() 范例
<?php
$hashed_password = crypt ( 'mypassword' ); // 自动生成盐值
if ( hash_equals ( $hashed_password , crypt ( $user_input , $hashed_password ))) {
echo "Password verified!" ;
}
?>
Example #2 利用 htpasswd 进行 crypt() 加密
<?php
// 设置密码
$password = 'mypassword' ;
// 获取散列值,使用自动盐值
$hash = crypt ( $password );
?>
Example #3 以不同散列类型使用 crypt()
<?php
if ( CRYPT_STD_DES == 1 ) {
echo 'Standard DES: ' . crypt ( 'rasmuslerdorf' , 'rl' ) . "\n" ;
}
if ( CRYPT_EXT_DES == 1 ) {
echo 'Extended DES: ' . crypt ( 'rasmuslerdorf' , '_J9..rasm' ) . "\n" ;
}
if ( CRYPT_MD5 == 1 ) {
echo 'MD5: ' . crypt ( 'rasmuslerdorf' , '$1$rasmusle$' ) . "\n" ;
}
if ( CRYPT_BLOWFISH == 1 ) {
echo 'Blowfish: ' . crypt ( 'rasmuslerdorf' , '$2a$07$usesomesillystringforsalt$' ) . "\n" ;
}
if ( CRYPT_SHA256 == 1 ) {
echo 'SHA-256: ' . crypt ( 'rasmuslerdorf' , '$5$rounds=5000$usesomesillystringforsalt$' ) . "\n" ;
}
if ( CRYPT_SHA512 == 1 ) {
echo 'SHA-512: ' . crypt ( 'rasmuslerdorf' , '$6$rounds=5000$usesomesillystringforsalt$' ) . "\n" ;
}
?>
以上例程的输出类似于:
Standard DES: rl.3StKT.4T8M Extended DES: _J9..rasmBYk8r9AiWNc MD5: $1$rasmusle$rISCgZzpwk3UhDidwXvin0 Blowfish: $2a$07$usesomesillystringfore2uDLvp1Ii2e./U9C8sBjqp8I90dH6hi SHA-256: $5$rounds=5000$usesomesillystri$KqJWpanXZHKq2BOB43TSaYhEWsQ1Lr5QNyPCDH/Tp.6 SHA-512: $6$rounds=5000$usesomesillystri$D4IrlXatmP7rx3P3InaxBeoomnAihCKRVQP22JZ6EY47Wc6BkroIuUUBOov1i.S5KPgErtP/EN5mcO.ChWQW21
Note: 由于 crypt() 使用的是单向算法,因此不存在 decrypt 函数。
[#1] synnus at gmail dot com [2015-10-05 16:59:04]
<?php
//
// Variable Ascii Crypt Key simple
// By Synnus - 2015
// ---
// array vak32_encode ( string $string , string $key, string 'show' or null )
// array[0] is encod string , array[1] is gen key decode
// ---
// string vak32_decode ( string $string , string $key)
function vak32_encode($ch_o,$vcp,$show=null) {
$vco = array();
$b = strlen($vcp);
for($a=0; $a<$b ; $a++) {
$vco[] = ord($vcp[$a]);
}
$ch_c = null;
$vcx = array();
$ch_vt = 0;
foreach($vco as $k => $v) {
$rd = rand(0,$v);
$vcx[$k] = $rd ;
$ch_vt += $rd;
}
$sl = strlen($ch_o);
$a=-1;
$vcw = array_merge($vco,$vcx);
shuffle($vcw);
reset($vcw);
while($sl > ++$a) {
$vcz = ((next($vcw)) ? current($vcw): reset($vcw));
$gv = intval(ord($ch_o[$a]) + $vcz);
if($gv > 255) { $gv = ($gv - 255); }
$ch_cx = chr($gv);
$ch_c .= $ch_cx;
//echo $ch_o[$a]," <- ",$ch_cx,' : ',$gv,' #> ', $vcz ,PHP_EOL;
}
$blk32 = null;
$blk32f = 'VAK32===========================#'.PHP_EOL;
foreach($vcw as $l) {
$blk32 .= ((strlen($k = strtoupper(dechex($l))) == 1 ) ? '0'.$k : $k);
if(strlen($blk32) == 32) {
$blk32f .= $blk32.'#'.PHP_EOL;
$blk32="";
}
}
$blk32f .= $blk32.'#';
if($show=='show') { echo PHP_EOL,$ch_c,PHP_EOL,PHP_EOL,$blk32f,PHP_EOL,print_r($vcw); }
return array($ch_c,$blk32f);
}
function vak32_decode($ch_c,$vcw) {
$genk = str_ireplace(array('VAK32',"=",'#',PHP_EOL,' '),null,$vcw);
$glk = strlen($genk);
$gnkey = array();
for($a=0; $a<$glk; $a+=2) {
$hxm = substr($genk,$a,2);
$gnkey[] = hexdec($hxm);
}
//print_r($gnkey);
$vcw = $gnkey;
$sd = strlen($ch_c);
$ch_cz = null;
$a=-1;
reset($vcw);
while($sd > ++$a) {
$vcz = ((next($vcw)) ? current($vcw): reset($vcw));
$gv = intval(ord($ch_c[$a]) - $vcz);
if($gv > 255) { $gv = ($gv - 255); }
elseif($gv < 0) { $gv = (255 + $gv); }
$ch_cy = chr($gv);
$ch_cz .= $ch_cy;
//echo $ch_c[$a]," <- ",$ch_cy,' : ',$gv,' #> ', $vcz ,PHP_EOL;
}
return $ch_cz;
}
$my_string = "hellow world foo bar";
$key_encod = "foobar!1234";
$genx = vak32_encode($my_string,$key_encod);
echo PHP_EOL . PHP_EOL;
echo ' my string : ' , $my_string,PHP_EOL;
echo ' key encode : ' , $key_encod,PHP_EOL . PHP_EOL;
echo ' string encode : ' , $genx[0],PHP_EOL;
echo ' key for decode : ' ,PHP_EOL, $genx[1],PHP_EOL . PHP_EOL;
echo PHP_EOL,"------------------",PHP_EOL . PHP_EOL;
$decode = vak32_decode($genx[0],$genx[1]);
echo ' String decode : ' ,$decode , PHP_EOL;
?>
[#2] bob dot orr at mailinator dot com [2015-02-09 02:10:55]
The #2 comment on this comments page (as of Feb 2015) is 9 years old and recommends phpass. I have independently security audited this product and, while it continues to be recommended for password security, it is actually insecure and should NOT be used. It hasn't seen any updates in years (still at v0.3) and there are more recent alternatives such as using the newer built-in PHP password_hash() function that are much better. Everyone, please take a few moments to confirm what I'm saying is accurate (i.e. review the phpass code for yourself) and then click the down arrow to sink the phpass comment to the bottom. You'll be increasing security across the Internet by doing so.
For those who want details: md5() with microtime() are a fallback position within the source code of phpass. Instead of terminating, it continues to execute code. The author's intentions of trying to work everywhere are admirable but, when it comes to application security, that stance actually backfires. The only correct answer in a security context is to terminate the application rather than fallback to a weak position that can potentially be exploited (usually by forcing that weaker position to happen).
[#3] sandeep [2014-10-06 09:29:46]
Sometimes because of crypt function used in code, a user may not be able to login on a site on one server but succeeds on another server. It may be because the hash generated on the development server is using different hash type and the testing/production server hash type is different. PHP version also plays some role here.
[#4] ian+php dot net at eiloart dot ocm [2014-05-16 12:46:33]
If you're stuck with CRYPT_EXT_DES, then you'll want to pick a number of iterations: the 2nd-5th characters of the "salt".
My experimentation suggests that the 5th character is the most significant. A '.' is a zero and 'Z' is the highest value. Using all dots will create an error: all passwords will be encrypted to the same value.
Here are some encryption timings (in seconds) that I obtained, with five different iteration counts over the same salt, and the same password, on a quad core 2.66GHz Intel Xeon machine.
_1111 time: 0.15666794776917
_J9.Z time: 1.8860530853271
_J9.. time: 0.00015401840209961
_...Z time: 1.9095730781555
_ZZZZ time: 1.9124970436096
_...A time: 0.61211705207825
I think a half a second is reasonable for an application, but for the back end authentication? I'm not so sure: there's a significant risk of overloading the back end if we're getting lots of authentication requests.
[#5] chris at seccosquared dot com [2014-04-21 16:59:55]
A great implementation of crypt, that will generate the password and a unique salt used for it for you to easily add the data to your Database. It is called Encryptor and it is available on github:
http://git.io/mSJqpw
[#6] Marten Jacobs [2014-01-07 21:57:20]
As I understand it, blowfish is generally seen a secure hashing algorithm, even for enterprise use (correct me if I'm wrong). Because of this, I created functions to create and check secure password hashes using this algorithm, and using the (also deemed cryptographically secure) openssl_random_pseudo_bytes function to generate the salt.
<?php
function generate_hash($password, $cost=11){
$salt=substr(base64_encode(openssl_random_pseudo_bytes(17)),0,22);
$salt=str_replace("+",".",$salt);
$param='$'.implode('$',array(
"2y", //select the most secure version of blowfish (>=PHP 5.3.7)
str_pad($cost,2,"0",STR_PAD_LEFT), //add the cost in two digits
$salt //add the salt
));
//now do the actual hashing
return crypt($password,$param);
}
function validate_pw($password, $hash){
return crypt($password, $hash)==$hash;
}
?>
[#7] jette at nerdgirl dot dk [2013-04-25 07:48:27]
The crypt() function cant handle plus signs correctly. So if for example you are using crypt in a login function, use urlencode on the password first to make sure that the login procedure can handle any character:
<?php
$user_input = '12+#?345';
$pass = urlencode($user_input));
$pass_crypt = crypt($pass);
if ($pass_crypt == crypt($pass, $pass_crypt)) {
echo "Success! Valid password";
} else {
echo "Invalid password";
}
?>
[#8] mblaney at gmail dot com [2013-04-22 01:46:14]
For those wondering, like I did, what the maximum length of the returned hash can be for the purpose of storing it in a database, the answer is:
123 characters.
[#9] steve at tobtu dot com [2013-01-13 00:26:27]
To generate salt use mcrypt_create_iv() not mt_rand() because no matter how many times you call mt_rand() it will only have at most 32 bits of entropy. Which you will start seeing salt collisions after about 2^16 users. mt_rand() is seeded poorly so it should happen sooner.
For bcrypt this will actually generate a 128 bit salt:
<?php $salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.'); ?>
*** Bike shed ***
The last character in the 22 character salt is 2 bits.
base64_encode() will have these four character "AQgw"
bcrypt will have these four character ".Oeu"
You don't need to do a full translate because they "round" to different characters:
echo crypt('', '$2y$05$.....................A') . "\n";
echo crypt('', '$2y$05$.....................Q') . "\n";
echo crypt('', '$2y$05$.....................g') . "\n";
echo crypt('', '$2y$05$.....................w') . "\n";
$2y$05$......................J2ihDv8vVf7QZ9BsaRrKyqs2tkn55Yq
$2y$05$.....................O/jw2XygQa2.LrIT7CFCBQowLowDP6Y.
$2y$05$.....................eDOx4wMcy7WU.kE21W6nJfdMimsBE3V6
$2y$05$.....................uMMcgjnOELIa6oydRivPkiMrBG8.aFp.
[#10] Matteo [2012-05-18 22:39:19]
Password hashing should be done only with crypt and NEVER with SHA* and MD5 or hash(). The fundamental reason is that crypt is designed to be SLOW which is a VERY good thing for password hashing.
It also automatically generate a salt every time which makes pre-computed tables to "decrypt" passwords useless (the generated salt is stored in the returned string for convenience).
[#11] harry at simans dot net [2011-09-27 04:34:16]
I made a nice little wrapper function for crypt():
<?php
function hasher($info, $encdata = false)
{
$strength = "08";
//if encrypted data is passed, check it against input ($info)
if ($encdata) {
if (substr($encdata, 0, 60) == crypt($info, "$2a$".$strength."$".substr($encdata, 60))) {
return true;
}
else {
return false;
}
}
else {
//make a salt and hash it with input, and add salt to end
$salt = "";
for ($i = 0; $i < 22; $i++) {
$salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mt_rand(0, 63), 1);
}
//return 82 char string (60 char hash & 22 char salt)
return crypt($info, "$2a$".$strength."$".$salt).$salt;
}
}
?>
This wrapper will accept a string as input and hash it, and output the hash result of the string and salt together, plus the salt added on the end. You can then store that output in a db, and pass it on to the function as the 2nd parameter when you go to verify it, along with the user input or whatever as the first.
Examples:
<?php
$hash = hasher($userinput);
if ($hash == hasher($userinput, $hash) {//authed}
?>
Neat huh?
[#12] kaminski at istori dot com [2011-02-05 15:43:47]
Here is an expression to generate pseudorandom salt for the CRYPT_BLOWFISH hash type:
<?php $salt = substr(str_replace('+', '.', base64_encode(pack('N4', mt_rand(), mt_rand(), mt_rand(), mt_rand()))), 0, 22); ?>
It is intended for use on systems where mt_getrandmax() == 2147483647.
The salt created will be 128 bits in length, padded to 132 bits and then expressed in 22 base64 characters. (CRYPT_BLOWFISH only uses 128 bits for the salt, even though there are 132 bits in 22 base64 characters. If you examine the CRYPT_BLOWFISH input and output, you can see that it ignores the last four bits on input, and sets them to zero on output.)
Note that the high-order bits of the four 32-bit dwords returned by mt_rand() will always be zero (since mt_getrandmax == 2^31), so only 124 of the 128 bits will be pseudorandom. I found that acceptable for my application.
[#13] mikey_nich (at) hotmáil . com [2007-03-04 07:47:35]
Are you using Apache2 on f.i. WinXP and want to create .htpasswd files via php? Then you need to use the APR1-MD5 encryption method. Here is a function for that:
<?php
function crypt_apr1_md5($plainpasswd) {
$salt = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz0123456789"), 0, 8);
$len = strlen($plainpasswd);
$text = $plainpasswd.'$apr1$'.$salt;
$bin = pack("H32", md5($plainpasswd.$salt.$plainpasswd));
for($i = $len; $i > 0; $i -= 16) { $text .= substr($bin, 0, min(16, $i)); }
for($i = $len; $i > 0; $i >>= 1) { $text .= ($i & 1) ? chr(0) : $plainpasswd{0}; }
$bin = pack("H32", md5($text));
for($i = 0; $i < 1000; $i++) {
$new = ($i & 1) ? $plainpasswd : $bin;
if ($i % 3) $new .= $salt;
if ($i % 7) $new .= $plainpasswd;
$new .= ($i & 1) ? $bin : $plainpasswd;
$bin = pack("H32", md5($new));
}
for ($i = 0; $i < 5; $i++) {
$k = $i + 6;
$j = $i + 12;
if ($j == 16) $j = 5;
$tmp = $bin[$i].$bin[$k].$bin[$j].$tmp;
}
$tmp = chr(0).chr(0).$bin[11].$tmp;
$tmp = strtr(strrev(substr(base64_encode($tmp), 2)),
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
return "$"."apr1"."$".$salt."$".$tmp;
}
?>
[#14] solar at openwall dot com [2005-12-23 23:20:13]
With different password hashing methods supported on different systems and with the need to generate salts with your own PHP code in order to use the more advanced / more secure methods, it takes special knowledge to use crypt() optimally, producing strong password hashes. Other message digest / hashing functions supported by PHP, such as md5() and sha1(), are really no good for password hashing if used naively, resulting in hashes which may be brute-forced at rates much higher than those possible for hashes produced by crypt().
I have implemented a PHP password hashing framework (in PHP, tested with all of PHP 3, 4, and 5) which hides the complexity from your PHP applications (no need for you to worry about salts, etc.), yet does things in almost the best way possible given the constraints of the available functions. The homepage for the framework is:
http://www.openwall.com/phpass/
I have placed this code in the public domain, so there are no copyrights or licensing restrictions to worry about.
P.S. I have 10 years of experience in password (in)security and I've developed several other password security tools and libraries. So most people can feel confident they're getting this done better by using my framework than they could have done it on their own.
[#15] hotdog (at) gmx (dot) net [2005-11-16 07:34:00]
WRONG:
$mypassword = "toto";
$smd5_pass = "{SMD5}......." // in openldap
if (preg_match ("/{SMD5}/i", $smd5_pass))
{
$encrypted = substr($md5_pass, 6);
$hash = base64_decode($encrypted);
$salt = substr($hash,16);
$mhashed = mhash(MHASH_MD5, $mypassword . $salt) ;
$without_salt = explode($salt,$hash_hex);
if ($without_salt[0] == $mhashed) {
echo "Password verified <br>";
} else {
echo "Password Not verified<br>";
}
}
$without_salt = explode($salt,$hash_hex); should be $without_salt = explode($salt,$hash);
RIGHT:
$mypassword = "toto";
$smd5_pass = "{SMD5}......." // in openldap
if (preg_match ("/{SMD5}/i", $smd5_pass))
{
$encrypted = substr($md5_pass, 6);
$hash = base64_decode($encrypted);
$salt = substr($hash,16);
$mhashed = mhash(MHASH_MD5, $mypassword . $salt) ;
$without_salt = explode($salt,$hash);
if ($without_salt[0] == $mhashed) {
echo "Password verified <br>";
} else {
echo "Password Not verified<br>";
}
}
[#16] thorhajo at gmail dot com [2004-09-02 15:34:10]
Here's a little function I wrote to generate MD5 password hashes in the format they're found in /etc/shadow:
function shadow($password)
{
$hash = '';
for($i=0;$i<8;$i++)
{
$j = mt_rand(0,53);
if($j<26)$hash .= chr(rand(65,90));
else if($j<52)$hash .= chr(rand(97,122));
else if($j<53)$hash .= '.';
else $hash .= '/';
}
return crypt($password,'$1$'.$hash.'$');
}
I've written this so that each character in the a-zA-Z./ set has a 1/54 of a chance of being selected (26 + 26 + 2 = 54), thus being statistically even.