[Dcphp-dev] MD5 Collision on email address
Barry Austin
barry.austin at doboard.com
Sat Nov 10 14:26:32 EST 2007
Ray,
Yes, MD5 can produce hash collisions in a very small percentage of cases.
For many uses this shouldn't be a big problem, but for security it should be
avoided.
I prefer the SHA-2 series, referred to as SHA-224/256/384/512, because the
algorithms are strong and widely supported.
If you need the hashes to be un-guessable then I'd recommend hashing more
than just the email address. A well accepted strategy is to include a
secret key in the computation, resulting in a keyed-Hash Message
Authentication Code (HMAC), and another useful technique is to concatenate a
"salt", which may or may not be secret, with the input.
PHP versions >= 5.1.2 have the hash_hmac() and hash() functions:
$hmac = hash_hmac('sha256', $data, $key); // hex string output
$hmac = base64_encode(hash_hmac('sha256', $data, $key, TRUE)); // force
binary output before encoding
$hash = hash('sha256', $data . $salt);
PHP versions < 5.3 have the mhash() function:
$hmac = base64_encode(mhash(MHASH_SHA256, $data, $key)); // mhash produces
binary output
$hash = bin2hex(mhash(MHASH_SHA256, $data . $salt));
There's a nice table of algorithms and their properties on Wikipedia:
http://en.wikipedia.org/wiki/Cryptographic_hash_function
Barry
-----Original Message-----
From: dcphp-dev-bounces at calypso.tux.org
[mailto:dcphp-dev-bounces at calypso.tux.org] On Behalf Of Ray Paseur
703.346.0600
Sent: Saturday, November 10, 2007 9:59 AM
To: DC PHP Developers Group
Subject: [Dcphp-dev] MD5 Collision on email address
Colleagues:
First, a big thank you to Robyn and his team for an excellent conference
this week. More than worth it!
Now a question. Do I run a risk of getting duplicate codes if I use
$code=MD5(email) to generate a unique ID? Can anyone recommend a
state-of-the-art algorithm to produce unique IDs?
Thanks to all,
Ray
_______________________________________________
Dcphp-dev mailing list
Dcphp-dev at calypso.tux.org
http://calypso.tux.org/cgi-bin/mailman/listinfo/dcphp-dev
More information about the Dcphp-dev
mailing list