Reputation: 366
My generated salts are both exactly the same
So, I'm 'randomly' generating two salts for use with later encryption and hashing. These are generated during the application's install process and then copied into a global configurations file via:
file_put_contents()
Now, when these are generated, I can view them in my 'globalParams.php' file. They are stored as values of an array, but this array is not utilised at all in this installation process.
The code for generation is as follows:
// Let's generate some encryption salts:
$options = [
'cost' => 12,
'salt' => mcrypt_create_iv(32, MCRYPT_DEV_URANDOM),];
$salt = password_hash(mt_rand(), PASSWORD_BCRYPT, $options);
$salt = password_hash($salt, PASSWORD_BCRYPT, $options);
$salt2 = password_hash(mt_rand(), PASSWORD_BCRYPT, $options);
$salt2 = password_hash($salt2, PASSWORD_BCRYPT, $options);
After this, they are placed into the config file like so:
// Let's open up our template globalParams.php and replace some strings..
$editFile = file_get_contents('newGlobalParams.php');
$editFile = str_replace( "database_hostname", $hostname, $editFile );
$editFile = str_replace( "database_username", $dbUser, $editFile );
$editFile = str_replace( "database_password", $dbPass, $editFile );
$editFile = str_replace( "database_name", $database, $editFile );
$editFile = str_replace( "encryption_salt", $salt, $editFile );
$editFile = str_replace( "encryption_salt2", $salt2, $editFile );
// Replace the original globalParams.php now that the system is set up..
file_put_contents('../_includes/globalParams.php', $editFile);
And these are example outputs:
$parameters['main']['salt'] = "$2y$12$cLSGeEoau5/4NEZ3Fe8qquxwUBc6aL5fmcYUlQtavdoIY1L7NKnaG";
$parameters['main']['salt2'] = "$2y$12$cLSGeEoau5/4NEZ3Fe8qquxwUBc6aL5fmcYUlQtavdoIY1L7NKnaG2";
Why are they identical, but with an appended 2?
More code, including the entire installer file, can be posted if needed..
Ta.
Edit:
Here are the results that are echoed right after generation:
$2y$12$uuZoLwioBePD9aDozrOJkus3e/DuShspaqKzzCDVne6BwVsyDkBA2
$2y$12$uuZoLwioBePD9aDozrOJkuicthSCvq2mpGTQlKNGZ.jLUUrfSDEq.
Values dumped to 'globalParams.php':
$parameters['main']['salt'] = "$2y$12$uuZoLwioBePD9aDozrOJkus3e/DuShspaqKzzCDVne6BwVsyDkBA2";
$parameters['main']['salt2'] = "$2y$12$uuZoLwioBePD9aDozrOJkus3e/DuShspaqKzzCDVne6BwVsyDkBA22";
Template of 'globalParams.php':
<?php
// Global configurations file
$parameters['dbC']['hostname'] = "database_hostname";
$parameters['dbC']['username'] = "database_username";
$parameters['dbC']['password'] = "database_password";
$parameters['dbC']['database'] = "database_name";
$parameters['main']['salt'] = "encryption_salt";
$parameters['main']['salt2'] = "encryption_salt2";
session_start(); // Start the session, ready for the user to login with.
putenv( "TZ=Europe/London" ); // Set the timezone for cookies and the sessions.
require_once('databaseFunctions.php');
require_once('coreFunctions.php');
if(file_exists('_install/')) { // Ensures no malicious user can reinstall the application using their own data..
exit( "Please delete the \"install\" directory." );
}
Upvotes: 0
Views: 55
Answers (2)
Reputation: 24071
Flosculus already answered your question, but nevertheless i would like to point out some other details.
The way you generate the "salts" is very expensive. I'm not sure what the purpose of them is, there are actually four possibilities:
- Used as key for encryption
- Used as IV for encryption
- Used as key/pepper for password hashing
- Used as salt for password hashing
To hash passwords (case 4) it would be better to leave out the salt parameter completely, password_hash() will then automatically generate a safe salt for each password. It is absolutely unnecessary and bad for your servers cpu to use key-stretching for a salt, the same salt should not be used for more than one password, and you loose entropy creating it this way.
The same goes for encryption. If you need a key (case 1), then just generate some random bytes and use bin2hex() for storing them readable in a config file. If you need an IV (case 2), you should generate it for each text you want to encrypt, and store it with your encrypted string. An IV should not be used for more than one encrypted string.
Upvotes: 0
Reputation: 6946
The problem is this:
$editFile = str_replace( "encryption_salt", $salt, $editFile );
$editFile = str_replace( "encryption_salt2", $salt2, $editFile );
You are replacing the encryption_salt in encryption_salt2 on the first replacement.
Then the second replacement does nothing because the pattern encryption_salt2 no longer exists.
Upvotes: 3
Related Questions
- hashing and salt not comparing correctly
- PHP .crypt() results identical for different strings and salts
- PHP Password hashing returning the same value
- my hashed password values are not matching when retrieving salt value from database
- Precision loss in PHP's Crypt()? Same salt, different passwords = same encrypted result
- Salting and hashing functions returning nothing
- Crypt returning same hash for two different (similar) passwords
- Hashing passwords with exact same inputs doesn't output the same value
- Why is crypt() returning different hashes with the same salt?
- Why does crypt/blowfish generate the same hash with two different salts?