md5 to sha1

#1
[eluser]clintonbeattie[/eluser]
Hi,

I have a function to add an encrypted password to a database which is this...
Code:
function validate()
    {
        $this->db->where('username', $this->input->post('username'));
        $this->db->where('password', md5($this->input->post('password')));  
        $query = $this->db->get('membership');
        
        if($query->num_rows == 1)
        {
            return true;
        }
        
    }

What I would like to do is use SHA1. I have added an encryption key to my config file and added this function to my model...
Code:
function _prep_password($password)
{
     return sha1($password.$this->config->item('encryption_key'));
}

How would I go about using this in my current code? This maybe?

Code:
$this->db->where('password', md5($this->input->post(_prep_password($password))));

Thanks for any advice.

C

#2
[eluser]stuffradio[/eluser]
If you want to use SHA1 instead of md5, just replace the md5() function with sha1() function.

#3
[eluser]BrianDHall[/eluser]
I'm confused, SHA1 is a one-way hashing mechanism that behaves pretty much the same as MD5, so you just replace any instance of "md5" with "sha1" in your code to start using it.

I don't understand the part about adding an encryption key - I think you might be confusing SHA1 for something else, like two-way (or "reversible") encryption such as that used by the session/cookie class for secure cookies or perhaps as used by the encryption library.

There is no need for an encryption key in sha1 - you can use a "salt", but that's another matter entirely.

#4
[eluser]clintonbeattie[/eluser]
Hi,

This is all quite new to me, so sorry for my lack of knowledge. I want to create a login area for users to acces their saved data. Does this mean that I don't use SHA1 because there is no way reverse and therefore verify if the user is in the database?

I assume that is why this won't work?..."If you want to use SHA1 instead of md5, just replace the md5() function with sha1() function."

I read the best way to encrypt is SHA1. Would I be better off using MD5 and a static Salt? Is this secure enough.




Can you give me some senarios where I would use SHA1?

Many thanks for the info so far.

#5
[eluser]BrianDHall[/eluser]
Oooo, I see your problem I think.

OK, SHA1() is a one-way hashing encryption concept. It turns "password" into an irreversable 'hash', or big lump of characters. So when you store the password the first time you don't store it in plain text, you store it as $store_value = sha1($submitted_password).

Then to see if the person provided the right password you do something like:

Code:
if (sha1($submitted_password) == $database_password_field)
{ // password was valid!}

The 'safety' of using features like sha1() is if someone gets a keep at your database password field they can't really do anything with it. So lets say they find out your admin username has a hashed password of "9boi3490939ig09jsgainoieng09309jg" - what can they do with that?

The reason for sha1 over md5 is primarily due to "collissions" - sometimes two different strings will end up having exactly the same hashed value. So lets say somehow "banana" has the same hashed value as "tomato" - someone can try to login with banana or tomato and they will be able to login just fine.

sha1 has less collisions than md5, and so is considered more secure. As to using a salt, this is a rather even more advanced security reasoning that involves invalidating attempts at dictionary hash cracks - and suffice it to say that you really don't have to use salt to be secure. Its just an extra layer of security, and you are in most cases just fine avoiding the complexity of such things if you are new to cryptography and/or programming.

#6
[eluser]clintonbeattie[/eluser]
Mmmm. I think I'm understanding. Thanks again. So how would my previous function be written to check if the SHA1'd password is in the database?

Here is my original code...

Code:
class Membership_model extends Model {


    function validate()
    {
        $this->db->where('username', $this->input->post('username'));
        $this->db->where('password', md5($this->input->post('password')));  
        $query = $this->db->get('membership');
        
        if($query->num_rows == 1)
        {
            return true;
        }
        
    }
    
    function create_member()
    {
        
        $new_member_insert_data = array(
            'first_name' => $this->input->post('first_name'),
            'last_name' => $this->input->post('last_name'),
            'email_address' => $this->input->post('email_address'),            
            'username' => $this->input->post('username'),
            'password' => md5($this->input->post('password'))                        
        );
        
        $insert = $this->db->insert('membership', $new_member_insert_data);
        return $insert;
    }
}

#7
[eluser]Twisted1919[/eluser]
This is very simple actually .
Let's simplify the things at maximum :
Code:
//ON REGISTRATION
$password = $this->input->post('password',TRUE);
$password = sha1($password);
//Then insert the data into database as you did in previous post .


//ON LOGIN
$username = $this->input->post('username',TRUE);
$password = $this->input->post('password',TRUE);
$password = sha1($password);
if($this->some_model->validate_data($username,$password) == TRUE){
//Auth the user
}else{
//prompt error
}

As you can see , on registration we create the hash of the password using sha1, then on login, we search for that hash for the user, using a model .
The validate_data() function can be like .
Code:
public function validate_data($username,$password){
$this->db->select('userid');
$this->where('user_password',$password);//notice, here $password is already hashed
$this->db->where('user_name',$username);
$query = $this->db->get('users');
return $query->num_rows() > 0 ? TRUE : FALSE ;
}

It's pretty simple as you can see , on registration, you will transform the password into a hash , then on login you will check to see if the hash of the provided password matches the one from database .

#8
[eluser]clintonbeattie[/eluser]
Thanks for that. I will dabble with that this evening.

#9
[eluser]skunkbad[/eluser]
You've got to remember that SHA1 hashes are longer than MD5 hashes. I believe MD5 is 40 chars and SHA1 is 60. Your database password field will need to be altered to accommodate the longer string, or your queries to the database for matches will always return empty.

#10
[eluser]clintonbeattie[/eluser]
Thanks for that tip. Didn't realize that. I may even put a static salt hash on too. Maybe MD5 would be enough?I will test it out anyway.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.