1

I am building my classes for development and am working on an encryption class. I have been reading up on php's crypt function and the different encryption types but a few areas have been vaguely explained.

my understanding is there are these encryption options CRYPT_STD_DES, CRYPT_EXT_DES, CRYPT_MD5, CRYPT_BLOWFISH, CRYPT_SHA256, and CRYPT_SHA512. to see if they are enabled you just check 

if(CRYPT_FOO==1)
{
   //is enabled
}

Questions

What are the salt requirements/format for the different encryption other than the. blowfish requirements which is on SO.

And just for clarification I assume if you use a blowfish salt with crypt() it automatically does the blowfish encryption?

Community
  • 1
  • 1
Yamiko
  • 5,303
  • 5
  • 30
  • 52
  • possible duplicate of [PHP crypt and salt - more clarification please](http://stackoverflow.com/questions/2192354/php-crypt-and-salt-more-clarification-please) – Ken White Apr 13 '12 at 22:34
  • If you're trying to encrypt passwords, just use bcrypt, it's the most secure you can have. http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php – aledalgrande Apr 13 '12 at 22:42
  • @KenWhite those question explain some of what i'm asking. they are using blowfish which is the 16 bit encryption. Im an unsure as to what the requirements are for the salts of the various encryption types like `sha256`. – Yamiko Apr 14 '12 at 00:46
  • @aledalgrande for my passwords I will use the bcrypt which is the `CRYPT_BLOWFISH` but my class will also support other encryptions. – Yamiko Apr 14 '12 at 01:26

1 Answers1

3

The official documentation of the crypt function has quite some information about the various modes, and what should be passed as their salt parameter:

  • CRYPT_STD_DES: two character salt from the alphabet ./0-9A-Za-z, i.e. an 12 bit salt.
  • CRYPT_EXT_DES: a _ character, then a 4 character iteration count, then a 4 character salt (each using the same alphabet).
  • CRYPT_MD5: a marker $1$, then 9 more salt characters (using the same alphabet as above, I suppose).
  • CRYPT_BLOWFISH: a marker $2a$, then a two digit cost parameter in the range 04 to 31 (meaning 24 to 231 iterations), then $ and a 22-digit salt (again, using the same alphabet as above).
  • CRYPT_SHA256: a marker $5$, an optional round parameter indication of rounds=number$ (with a decimal number between 1000 and 999999999), and a 16-character salt (using the same alphabet as above).
  • CRYPT_SHA512: a marker $6$, an optional round parameter indication of rounds=number$ (with a decimal number between 1000 and 999999999), and a 16-character salt (using the same alphabet as above).

The start of the salt parameter uniquely identifies which kind of password hash algorithm is to be used here - so yes, if you use a salt in the bcrypt format (starting with $2a$), it will automatically use bcrypt.

Paŭlo Ebermann
  • 73,284
  • 20
  • 146
  • 210