Organizational Research By

Surprising Reserch Topic

Experts Most Trusted Topic


bcrypt and randomly generated salts


bcrypt and randomly generated salts  using -'php,salt,bcrypt,password-encryption'

So I was experimenting with bcrypt. I have a class(shown below, which I got from http://www.firedartstudios.com/articles/read/php-security-how-to-safely-store-your-passwords) in which there are 3 functions. 1st one is to generate a random Salt, the 2nd to generate a hash using the 1st generated Salt and the last one is to verify the supplied password by comparing it with the hashed password.

<?php
/* Bcrypt Example */
class bcrypt {
    private $rounds;
    public function __construct($rounds = 12) {
        if(CRYPT_BLOWFISH != 1) {
            throw new Exception("Bcrypt is not supported on this server, please see the following to learn more: http://php.net/crypt");
        }
        $this->rounds = $rounds;
    }

    /* Gen Salt */
    public function genSalt() {
        /* openssl_random_pseudo_bytes(16) Fallback */
        $seed = '';
        for($i = 0; $i < 16; $i++) {
            $seed .= chr(mt_rand(0, 255));
        }
        /* GenSalt */
        $salt = substr(strtr(base64_encode($seed), '+', '.'), 0, 22);
        /* Return */
        return $salt;
    }

    /* Gen Hash */
    public function genHash($password) {
        /* Explain '$2y$' . $this->rounds . '$' */
            /* 2a selects bcrypt algorithm */
            /* $this->rounds is the workload factor */
        /* GenHash */
        $hash = crypt($password, '$2y$' . $this->rounds . '$' . $this->genSalt());
        /* Return */
        return $hash;
    }

    /* Verify Password */
    public function verify($password, $existingHash) {
        /* Hash new password with old hash */
        $hash = crypt($password, $existingHash);

        /* Do Hashs match? */
        if($hash === $existingHash) {
            return true;
        } else {
            return false;
        }
    }
}
/* Next the Usage */
/* Start Instance */
$bcrypt = new bcrypt(12);

/* Two create a Hash you do */
echo 'Bcrypt Password: ' . $bcrypt->genHash('password');

/* Two verify a hash you do */
$HashFromDB = $bcrypt->genHash('password'); /* This is an example you would draw the hash from your db */
echo 'Verify Password: ' . $bcrypt->verify('password', $HashFromDB);
?>


Now if I generate a hash with 'password' for example, I get a hashed password, which took the randmonly generated Salt. Next if I enter 'password' again and use the verify function ,I get true meaning that the passwords match. If I enter wrong password, I get false. My question is how is this possible? What about the randomly generated Salt? How come that is not having any effect?
    

asked Oct 19, 2015 by mca.agarwal
0 votes
3 views



Related Hot Questions



Government Jobs Opening


...