/passhash.php

https://github.com/bproctor/PassHash · PHP · 144 lines · 32 code · 11 blank · 101 comment · 2 complexity · 99d00a2974f0e6ad35458b655c747543 MD5 · raw file 

    

  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * passhash.php
    5. 

  5.  *
    6. 

  6.  * A strong password hashing class for PHP
    7. 

  7.  *
    8. 

  8.  * Copyright (c) 2010-2012 Brad Proctor. (http://bradleyproctor.com)
    9. 

  9.  *
    10. 

  10.  * Licensed under The MIT License
    11. 

  11.  * Redistributions of files must retain the above copyright notice.
    12. 

  12.  *
    13. 

  13.  * @author      Brad Proctor
    14. 

  14.  * @copyright   Copyright (c) 2010-2012 Brad Proctor
    15. 

  15.  * @license     MIT License (http://www.opensource.org/licenses/mit-license.php)
    16. 

  16.  * @link        http://bradleyproctor.com/
    17. 

  17.  * @version     1.9.1
    18. 

  18.  */
    19. 

  19. 

  20. /**
    21. 

  21.  * The Password class works by generating a 104-character hash.  The first 16 characters are a unique
    22. 

  22.  * salt value that is generated for each password.  The rest of the 88 characters is the hash generated
    23. 

  23.  * by the whirlpool algorithm, which is much stronger than common md5 or sha1 methods.  The hash value is
    24. 

  24.  * also created using the HMAC method and a site wide key is used to further secure the hash.  The site
    25. 

  25.  * wide key can be any value, but a very strong 80-character unique value for 'authPepper' can be generated at
    26. 

  26.  * http://bradleyproctor.com/tools/salt.php
    27. 

  27.  *
    28. 

  28.  * Usage:
    29. 

  29.  * $hash = Passhash::hash('password');  // Store this value in your database
    30. 

  30.  *
    31. 

  31.  * if (Passhash::compare('password', $hash) === true) {
    32. 

  32.  *    // Password is correct
    33. 

  33.  * } else {
    34. 

  34.  *    // Password was incorrect
    35. 

  35.  * }
    36. 

  36.  */
    37. 

  37. abstract class Passhash
    38. 

  38. {
    39. 

  39. 

  40.     /**
    41. 

  41.      * Number of characters in the salt value
    42. 

  42.      */
    43. 

  43.     const saltLength = 16;
    44. 

  44. 

  45.     /**
    46. 

  46.      * a unique site-wide value (pepper) to compliment the unique salts.
    47. 

  47.      * Change this to a unique value.
    48. 

  48.      */
    49. 

  49.     const authPepper = 'jS#W_;[;sjiNOUc9NG,S3T76NOTmK~%mu|#WI9-v.l^Bt]6H)1wz:kc=hPtS+JZv)haB!0dTo}klfWrr';
    50. 

  50. 

  51.     /**
    52. 

  52.      * Used for key stretching.  It is used to calculate the number of iterations to run the
    53. 

  53.      * hashing algorithm. Raise this to increase security, lower this to make it run faster.  Default value
    54. 

  54.      * is 5.
    55. 

  55.      */
    56. 

  56.     const authLevel = 5;
    57. 

  57. 

  58.     /*************************************************************************************/
    59. 

  59. 

  60.     /**
    61. 

  61.      * Generate a password salt
    62. 

  62.      *
    63. 

  63.      * @param int $length
    64. 

  64.      *    The number of characters that the salt should be
    65. 

  65.      *
    66. 

  66.      * @return string
    67. 

  67.      *    Returns a salt that can be used to salt a password hash
    68. 

  68.      *
    69. 

  69.      * @access private
    70. 

  70.      */
    71. 

  71.     final private static function salt()
    72. 

  72.     {
    73. 

  73.         $salt = '';
    74. 

  74.         while (strlen($salt) < static::saltLength) {
    75. 

  75.             $salt .= pack('C', dechex(mt_rand()));
    76. 

  76.         }
    77. 

  77.         return substr(base64_encode($salt), 0, static::saltLength);
    78. 

  78.     }
    79. 

  79. 

  80.     /**
    81. 

  81.      * PBKDF2 Implementation (described in RFC 2898)
    82. 

  82.      * Password-Based Key Derivation Function
    83. 

  83.      * (Simplified, since some variables are known)
    84. 

  84.      *
    85. 

  85.      * @param string $password
    86. 

  86.      *      The plain text password
    87. 

  87.      *
    88. 

  88.      * @param string $salt
    89. 

  89.      *      The salt used to generate the hash
    90. 

  90.      *
    91. 

  91.      * @return string
    92. 

  92.      *      Derived key
    93. 

  93.      *
    94. 

  94.      * @access private
    95. 

  95.      */
    96. 

  96.     final private static function pbkdf2($password, $salt)
    97. 

  97.     {
    98. 

  98.         $ib = $b = hash_hmac('whirlpool', $salt . static::authPepper, $password, true);
    99. 

  99.         for ($i = 1; $i < static::authLevel * 1000; $i++) {
    100. 

  100.             $ib ^= ($b = hash_hmac('whirlpool', $b . static::authPepper, $password, true));
    101. 

  101.         }
    102. 

  102.         return base64_encode($ib);
    103. 

  103.     }
    104. 

  104. 

  105.     /**
    106. 

  106.      * Generate a 104 character password hash
    107. 

  107.      *
    108. 

  108.      * @param string $password
    109. 

  109.      *    The plain text password
    110. 

  110.      *
    111. 

  111.      * @param string $salt
    112. 

  112.      *    The salt to use to generate the password
    113. 

  113.      *
    114. 

  114.      * @return string
    115. 

  115.      *    Returns the 104-character hashed and salted password
    116. 

  116.      *
    117. 

  117.      * @access public
    118. 

  118.      */
    119. 

  119.     final public static function hash($password, $salt = null)
    120. 

  120.     {
    121. 

  121.         $salt or $salt = static::salt();
    122. 

  122.         return $salt . static::pbkdf2($password, $salt);
    123. 

  123.     }
    124. 

  124. 

  125.     /**
    126. 

  126.      * Compare a password with a hash
    127. 

  127.      *
    128. 

  128.      * @param string $password
    129. 

  129.      *    The plain text password to compare
    130. 

  130.      *
    131. 

  131.      * @param string $hash
    132. 

  132.      *    The 104 character password hash
    133. 

  133.      *
    134. 

  134.      * @return bool
    135. 

  135.      *    Returns TRUE if the password matches, FALSE if not
    136. 

  136.      *
    137. 

  137.      * @access public
    138. 

  138.      */
    139. 

  139.     final public static function compare($password, $hash)
    140. 

  140.     {
    141. 

  141.         return 0 === strcmp($hash, static::hash($password, substr($hash, 0, static::saltLength), static::authLevel));
    142. 

  142.     }
    143. 

  143. 

  144. }
    145.