Using mcrypt_create_iv to create salt?

Question

I'm currently in the process of learning how hashing + salting works, I'm currently using this code on PHP to generate 'salt'

function calculateSalt(){
$iv = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
return $iv;
}

In theory this should return a good salt for hashing my passwords with. When I applied it to my small database of test passwords It seem'd like it looked pretty secure and unique although as this is a very low amount of test passwords I was wondering If this is an acceptable way to generate a good, unique salt or if mcrypt_create_iv was bad practice. From what I can tell it's main purpose isn't for salting but would It be bad If I used it for this purpose?

Note this database is not of public passwords, just test cases. Here is the salt + hashes using the above technique.

Answer 1

If you're implementing your own user login system it is very important to follow well-established guidelines and not to attempt to reinvent the wheel concerning the crypto. Here's a very good article on how to do password hashing and salting.

It also comes with the following PHP example: (I'll copy it here in case the original source goes down.)

<?php
/*
 * Password Hashing With PBKDF2 (http://crackstation.net/hashing-security.htm).
 * Copyright (c) 2013, Taylor Hornby
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without 
 * modification, are permitted provided that the following conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright notice, 
 * this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright notice,
 * this list of conditions and the following disclaimer in the documentation 
 * and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
 * POSSIBILITY OF SUCH DAMAGE.
 */

// These constants may be changed without breaking existing hashes.
define("PBKDF2_HASH_ALGORITHM", "sha256");
define("PBKDF2_ITERATIONS", 1000);
define("PBKDF2_SALT_BYTE_SIZE", 24);
define("PBKDF2_HASH_BYTE_SIZE", 24);

define("HASH_SECTIONS", 4);
define("HASH_ALGORITHM_INDEX", 0);
define("HASH_ITERATION_INDEX", 1);
define("HASH_SALT_INDEX", 2);
define("HASH_PBKDF2_INDEX", 3);

function create_hash($password)
{
    // format: algorithm:iterations:salt:hash
    $salt = base64_encode(mcrypt_create_iv(PBKDF2_SALT_BYTE_SIZE, MCRYPT_DEV_URANDOM));
    return PBKDF2_HASH_ALGORITHM . ":" . PBKDF2_ITERATIONS . ":" .  $salt . ":" .
        base64_encode(pbkdf2(
            PBKDF2_HASH_ALGORITHM,
            $password,
            $salt,
            PBKDF2_ITERATIONS,
            PBKDF2_HASH_BYTE_SIZE,
            true
        ));
}

function validate_password($password, $correct_hash)
{
    $params = explode(":", $correct_hash);
    if(count($params) < HASH_SECTIONS)
       return false;
    $pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]);
    return slow_equals(
        $pbkdf2,
        pbkdf2(
            $params[HASH_ALGORITHM_INDEX],
            $password,
            $params[HASH_SALT_INDEX],
            (int)$params[HASH_ITERATION_INDEX],
            strlen($pbkdf2),
            true
        )
    );
}

// Compares two strings $a and $b in length-constant time.
function slow_equals($a, $b)
{
    $diff = strlen($a) ^ strlen($b);
    for($i = 0; $i < strlen($a) && $i < strlen($b); $i++)
    {
        $diff |= ord($a[$i]) ^ ord($b[$i]);
    }
    return $diff === 0;
}

/*
 * PBKDF2 key derivation function as defined by RSA's PKCS #5: https://www.ietf.org/rfc/rfc2898.txt
 * $algorithm - The hash algorithm to use. Recommended: SHA256
 * $password - The password.
 * $salt - A salt that is unique to the password.
 * $count - Iteration count. Higher is better, but slower. Recommended: At least 1000.
 * $key_length - The length of the derived key in bytes.
 * $raw_output - If true, the key is returned in raw binary format. Hex encoded otherwise.
 * Returns: A $key_length-byte key derived from the password and salt.
 *
 * Test vectors can be found here: https://www.ietf.org/rfc/rfc6070.txt
 *
 * This implementation of PBKDF2 was originally created by https://defuse.ca
 * With improvements by http://www.variations-of-shadow.com
 */
function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false)
{
    $algorithm = strtolower($algorithm);
    if(!in_array($algorithm, hash_algos(), true))
        trigger_error('PBKDF2 ERROR: Invalid hash algorithm.', E_USER_ERROR);
    if($count <= 0 || $key_length <= 0)
        trigger_error('PBKDF2 ERROR: Invalid parameters.', E_USER_ERROR);

    if (function_exists("hash_pbkdf2")) {
        // The output length is in NIBBLES (4-bits) if $raw_output is false!
        if (!$raw_output) {
            $key_length = $key_length * 2;
        }
        return hash_pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output);
    }

    $hash_length = strlen(hash($algorithm, "", true));
    $block_count = ceil($key_length / $hash_length);

    $output = "";
    for($i = 1; $i <= $block_count; $i++) {
        // $i encoded as 4 bytes, big endian.
        $last = $salt . pack("N", $i);
        // first iteration
        $last = $xorsum = hash_hmac($algorithm, $last, $password, true);
        // perform the other $count - 1 iterations
        for ($j = 1; $j < $count; $j++) {
            $xorsum ^= ($last = hash_hmac($algorithm, $last, $password, true));
        }
        $output .= $xorsum;
    }

    if($raw_output)
        return substr($output, 0, $key_length);
    else
        return bin2hex(substr($output, 0, $key_length));
}
?>

Answer 2

I would comment on @Jack's answer if I had enough rep but I don't so... following his answer you can look at Password Compat for generating password which is using the password_* functions being worked on for PHP 5.5.

Answer 3

Although mcrypt_create_iv() is technically meant to create initialisation vectors for symmetric encryption, it can be used to generate random salts just as well.

However, for passwords, you should be using a password hashing function instead:

$hash = password_hash('my difficult password');

It uses crypt() internally and, depending on the platform, will either read from /dev/urandom directly or use php_win32_get_random_bytes() to generate a salt if none is provided.

One advantage in terms of storage is that both the hash and salt are stored in a single opaque string.

See also: password_hash()

Answer 4

I'll give you a copy of my RandomBytes function. It uses the most random source available on your system.

$count is how many bytes you want.

$base64 is true to output base64, false to output a binary string.

$sessionIdSafe is true to modify the base64 in such a way that it is still valid for using as a sessionid in PHP. It changes the base64 character set from A-Za-z0-9+/ to A-Za-z0-9,- , and strips any '=' padding characters from the end of the string.

function randomBytes($count, $base64 = false, $sessionIdSafe = false)
{
    $bytes = '';

    if(is_readable('/dev/urandom') && ($urandom = fopen('/dev/urandom', 'rb')) !== false)
    {
        $bytes = fread($urandom, $count);
        fclose($urandom);
    }

    if((strlen($bytes) < $count) && function_exists('mcrypt_create_iv'))
    {
        // Use MCRYPT_RAND on Windows hosts with PHP < 5.3.7, otherwise use MCRYPT_DEV_URANDOM
        // (http://bugs.php.net/55169).
        $flag = (version_compare(PHP_VERSION, '5.3.7', '<') && strncasecmp(PHP_OS, 'WIN', 3) == 0) ? MCRYPT_RAND : MCRYPT_DEV_URANDOM ;
        $bytes = mcrypt_create_iv($count,$flag);
    }

    if((strlen($bytes) < $count) && function_exists('openssl_random_pseudo_bytes'))
    {
        $bytes = openssl_random_pseudo_bytes($count);
    }

    if ((strlen($bytes) < $count) && class_exists('COM'))
    {
        // Officially deprecated in Windows 7
        // http://msdn.microsoft.com/en-us/library/aa388182%28v=vs.85%29.aspx
        try
        {
            /** @noinspection PhpUndefinedClassInspection */
            $CAPI_Util = new COM('CAPICOM.Utilities.1');
            if(is_callable(array($CAPI_Util,'GetRandom')))
            {
                /** @noinspection PhpUndefinedMethodInspection */
                $bytes = $CAPI_Util->GetRandom(16,0);
                $bytes = base64_decode($bytes);
            }
        }
        catch (Exception $e)
        {
        }
    }

    if (strlen($bytes) < $count)
    {
        mt_srand(microtime(true)*1000000);
        $bytes = '';
        $random_state = microtime();
        if (function_exists('getmypid'))
            $random_state .= getmypid();

        // for every 16 bytes that we need
        for ($i = 0; $i < $count; $i += 16)
        {
            // generate 16 bytes at a time in hexadecimal
            $random_state =
                md5(microtime() . $random_state . mt_rand());
            // convert the hex into binary. using pack so that the code is backwards
            // compatible with pre php-5 since md5(data,raw) is only available in 5
            $bytes .=
                pack('H*', md5($random_state));
        }
        $bytes = substr($bytes, 0, $count);
    }

    if ($base64)
    {
        $result = base64_encode($bytes);
        if($sessionIdSafe)
        {
            $result = str_replace(array('+','/','='),array('-',','),$result);
        }
        return $result;
    }
    else
    {
        return $bytes;
    }
}