3

I'm currently rewriting an asp classic site in PHP, everything so far has been simple until I reached the password hashing function. In PHP I've used hash_hmac and hash, but I seem unable to replicate this functions results using a static salt in PHP. Please could someone help guide me as to how to produce the same result in PHP?

<%  Function Hash(strPassword, strIndividualSalt)

  Const strSiteWideSalt = "Bacon and HASH is best served with a good Salt!"
  Hash = HashSHA512Managed(strSiteWideSalt & strPassword & strIndividualSalt)

End Function

Function HashSHA512Managed(saltedPassword)

  Dim objMD5, objUTF8
  Dim arrByte
  Dim strHash
  Set objUnicode = CreateObject("System.Text.UnicodeEncoding")
  Set objSHA512 = Server.CreateObject("System.Security.Cryptography.SHA512Managed")

  arrByte = objUnicode.GetBytes_4(saltedPassword)
  strHash = objSHA512.ComputeHash_2((arrByte))

  HashSHA512Managed = ToBase64(strHash)

End Function

Function ToBase64(rabyt)
    Dim xml: Set xml = CreateObject("MSXML2.DOMDocument.3.0")
    xml.LoadXml "<root />"
    xml.documentElement.dataType = "bin.base64"
    xml.documentElement.nodeTypedValue = rabyt
    ToBase64 = xml.documentElement.Text
End Function
response.write  Hash("mypassword", "mysalt")%>

This outputs...

1Asf3PuLZetBni4laI7jDKG3fbhlzKzB41G2694oZdH6nELLXklqtvY8Tniqjf3/2/gGg01fzs4w67l1Tfs20A==

Should I be using hash_hmac? Or do I need to replicate the function in PHP using hash()? Any help would be appreciated.

user692942
  • 16,398
  • 7
  • 76
  • 175
kurt
  • 1,146
  • 1
  • 8
  • 18
  • The Classic ASP example is using .Net assemblies exposed via COM+ to facilitate the functionality which you will not be able to do with PHP. However PHP does have it's own built-in libraries for cryptographic functions *(depending on the version)*. [SO - Secure hash and salt for PHP passwords](http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) and [SO - how to implement sha 512,md5 and salt encryption all for one password](http://stackoverflow.com/questions/21711890/how-to-implement-sha-512-md5-and-salt-encryption-all-for-one-password) – user692942 Feb 04 '15 at 10:27
  • Thanks for the feed back. I have used php's library before, im just a perfectionist so in rewriting the core functions I like to replicate the exact results. The site im writing will be version 2.0 of their app so I'll just have to content myself by making it more efficient and having less code. – kurt Feb 04 '15 at 11:11
  • Well as long as the implementation follows the same pattern - Salted Password built the same way, Unicode Encoding of the Salted Password followed by the SHA512 hash converted to Base64 you should be fine. – user692942 Feb 04 '15 at 11:36
  • You shouldn't need to use `hash_hmac()`. Have you tried `echo hash('sha512', your_unicode_encoded_salted_password_here)`? – user692942 Feb 04 '15 at 11:51
  • Yes, I tried that and couldn't get it to work. I think the issue was the asp line 'arrByte = objUnicode.GetBytes_4(saltedPassword)' . I couldn't find the php equivelent for it before I hash it. – kurt Feb 04 '15 at 12:59
  • That line is encoding the salted password as unicode then passing the converted bytes to the hashing function. The equivalent (no PHP expert by any means) would probably be [`mb_convert_encoding()`](http://php.net/manual/en/function.mb-convert-encoding.php). You might also want to use [`mb_detect_encoding()`](http://php.net/manual/en/function.mb-detect-encoding.php) first to check what encoding the string is to start with. Once you have the correctly encoded string try the hash again. – user692942 Feb 04 '15 at 13:03
  • Also if it detects it as `ASCII` first off shouldn't that be in the encoding_list for `mb_convert_encoding()`? See [SO - mb_detect_encoding detects ASCII as UTF-8?](http://stackoverflow.com/a/16299777/692942) Something like `$saltedpasss = mb_convert_encoding($saltedpass, "UTF-8", mb_detect_encoding($saltedpass, "ASCII UTF-8, ISO-8859-1, ISO-8859-15", true));` that? – user692942 Feb 04 '15 at 13:33
  • Or even just simplify it further - `$saltedpasss = mb_convert_encoding($saltedpass, "UTF-8", "ASCII");` – user692942 Feb 04 '15 at 13:38
  • 1
    Definatley the same issue as [SO - mb_detect_encoding detects ASCII as UTF-8?](http://stackoverflow.com/a/16299777/692942). Tried that now aswell still stays ASCII – kurt Feb 04 '15 at 13:40
  • Weird, until you can get over that hurdle the `hash()` will never produce the right result because it will be hashing the `ASCII` string not a unicode one. Might be another question in the works... – user692942 Feb 04 '15 at 13:44
  • Hmm... interesting [this thread](http://board.issociate.de/thread/485048/mbconvertencoding-converting-to-ASCII-instead-of-UTF-8.html) suggests the culprit is [`mb_detect_order()`](http://php.net/manual/en/function.mb-detect-order.php). – user692942 Feb 04 '15 at 13:49
  • Im running 5.5 on my local machine and 5.3 on the server. I get the same result on both. – kurt Feb 04 '15 at 13:49
  • Just looking at this [SO - Strange behaviour of mb_detect_order() in PHP](http://stackoverflow.com/questions/2881247/strange-behaviour-of-mb-detect-order-in-php). Seems a common problem. – user692942 Feb 04 '15 at 13:52
  • It does, its just a little unnerving how '$saltedpasss = mb_convert_encoding($saltedpass, "UTF-8", "ASCII");' still outputs ASCII – kurt Feb 04 '15 at 13:56
  • What if you try `mb_convert_encoding($saltedpass, "UTF-8", "auto");`? – user692942 Feb 04 '15 at 14:03
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackoverflow.com/rooms/70228/discussion-on-question-by-kurt-how-to-replicate-asp-classic-sha512-hash-function). – Taryn Feb 04 '15 at 14:03
  • @kurt hi, did you solve? Please could you share your php code? – Andrea Apr 28 '22 at 13:20

0 Answers0