php


Understanding how salt is generated/used in bcrypt password_hash


I am working on an existing Symfony 2.8 web app project that uses FOSUserBundle for user authentication.
In addition to the web front end the users can use different smartphone client to connect to the web app using a REST API. Thus the users need to be authenticated both when logging in directly in the web app and when connecting why the REST API.
Until one of the latest FOSUserBundle updates a bcrypt password hash and the used salt where stored in the database.
When connecting using the REST API, the salt is transferred to the client to locally hash the password using the same salt. The hashed password is than send back to the web app for authentication.
I know that sending the hashed password instead of plain text does not add (a lot of) additional security, since the communication is only possible using HTTPS. However this is the way the clients work: They need the salt to generate the hashed password. I can update the clients in the future, but right now this is just the way the work.
The Problem:
They way FOSUserBundle hashes the password has changed: Since it is considered to be saver to NOT specify the salt manually but to let PHP generate the salt automatically (in PHP 7 it is not even possible to manually set the salt), a manual salt is no longer supported.
This is no problem when logging into the web app directly, but since the REST clients still need a salt, this updates breaks the REST connection.
Is there any way to combine both methods? Let PHP create the salt automatically, extract and send this salt to the clients?
As far as I understand the salt is stored with the hash in the same string:
However, simply copy the 21 char salt from the hash-string and send these to the clients does not work. It seems that these 21 chars a enough to test/verify the password, but not to re-create the hash. Is this correct?
So, is there any solution to use PHP password_hash without setting a salt, and to get to know the used salt at the same time?
EDIT 1:
To answer #RiggsFolly question: MD5 was not used at any time. It is not correct, that bcryp/password_hash will not create the same hash twice. It will do so, if both the password and the salt are the same:
$s = 'password';
$salt = 'salt5678901234567890123456789012';
$options['salt'] = $salt;
$h1 = password_hash($s,PASSWORD_BCRYPT,$options);
$h2 = password_hash($s,PASSWORD_BCRYPT,$options);
echo $h1 . PHP_EOL;
echo $h2 . PHP_EOL;
Result:
$2y$10$salt56789012345678901uTWNlUnhu5K/xBrtKYTo7oDy8zMr/csu
$2y$10$salt56789012345678901uTWNlUnhu5K/xBrtKYTo7oDy8zMr/csu
password_hash will create a new hash for the same password, if the salt is not specified. This is because, the salt will be created randomly which is than of cause different on each call.
EDIT 2:
As one can see in Edit 1, using a salt with 32 chars will result in a string that only includes the first 21 chars of the salt. However this salt-prefix cannot be used to re-create the same hash since it is too short to be accepted.
However, if the prefix is filled up with 0, it seems to work:
$s = 'password';
$salt = 'salt5678901234567890123456789012';
$salt_prefix = 'salt5678901234567890100000000000';
$h1 = password_hash($s, PASSWORD_BCRYPT, array('salt' => $salt));
$h2 = password_hash($s, PASSWORD_BCRYPT, array('salt' => $salt_prefix));
echo $h1 . PHP_EOL;
echo $h2 . PHP_EOL;
So a solution could be:
let FOSUserBundle use password_hash to create the hash without manually specifying a salt.
extract the salt from the result string and pad it with 0 to a length of 32 chars
pass this salt to the client
Can anyone confirm, that this a real solution and not just some coincidence ?
The salt is, as documented on http://us2.php.net/crypt, 22 characters and not 21.
<?php
$key = 'password';
$hash = password_hash($key, PASSWORD_BCRYPT);
$salt = substr($hash, 7, 22);
$rehash = password_hash($key, PASSWORD_BCRYPT, ['salt' => $salt]);
if ($hash == $rehash) {
echo 'ok', PHP_EOL;
}
The last 2 in the salt5678901234567890123456789012 salt changing to an u is just some magic in crypt blowfish.

Related Links

Magento - Change Customer Id and Order ID
Effective compression in AS3 to be transeferred to PHP
How to generate a unique id for different visitors with PHP?
preg_replace easy for a pro
PHP How to include files based on creation date?
Put a function in an XML field
dynamic array key additions
Wordpress: wp_get_attachment_thumb_url
jQuery autocomplete special character (Norwegian) problems
Basic authentication and session management library for PHP?
get_headers() Redirection limit reached, aborting. failed to open stream: Operation now in progress
preg_replace or str_replace
How to put string in array, split by new line?
Ecommerce different cart items DB & models design
PHP Call different library at different place of an Application
Automate printing & dealing with large HTML files

Categories

HOME
flask
tomcat
gaming
verification
cucumber
dotnetnuke
braintree
visual-studio-2010
amp
native-base
static-analysis
driver
lapack
getopenfilename
fbloginview
responsivevoice
angular4
asciimath
renderscript
psql
connection-refused
amazon-sns
window-managers
webviewclient
spreadsheetgear
tf-idf
tsung
ibm-connections
objectmapper
memory-fences
sca
xerces-c
uivisualeffectview
viewcontroller
destroy
jenkins-slave
gcal
liteide
sigsegv
datediff
line-intersection
alertify
http4s
mifos
mathjs
data-management
nsrunloop
p6spy
conan
android-4.2-jelly-bean
android-sdcard
apple-configurator
textblock
outlook.com
smart-tv
variable-length-array
openshift-cartridge
canopy
enaml
apple
search-form
replicaset
green-threads
cache-manifest
karma-coverage
ssmtp
findersync
datagridcomboboxcolumn
device-admin
qt5.4
ecos
windows-messages
csslint
cpu-time
mod-perl
compiler-flags
disjoint-union
ax
rikulo
xcode4.5
clearinterval
java.lang.class
infopath-2007
snackjs
azure-acs
mediacontroller
cewolf
android-input-method
tacit-programming

Resources

Database Users
RDBMS discuss
Database Dev&Adm
javascript
java
csharp
php
android
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App