HASH

Marcos Jarrin

unread,

Jun 10, 2024, 12:29:13 AMJun 10

to Harbour Developers

Hello

The hash system used by Harbour is not very efficient and can be hacked. Every time a hash is generated on a key, it generates the same hash which can be hacked using a hash dictionary.

The most convenient thing would be that each time it is executed, it generates a different hash and, using another function, it can be compared to see if it is the same key entered, as is done in PHP.

password_hash

https://www.php.net/manual/en/function.password-hash.php

This function verifies whether the key that generates the hash is the same

password_verify

https://www.php.net/manual/en/function.password-verify.php

With this implementation, the security of the keys in Harbour would be improved.

Eric Lendvai

unread,

Jun 10, 2024, 12:56:18 AMJun 10

to Harbour Developers

Hello Marcos,

The primary purpose of the hash is to sign a large text for example, meaning the same source text will always result in the same hash.

With sha-256 the likelihood of 2 source text to generate the same hash is 1 with 77 zeros approx.

In my next commit of DataWharf you will be able to see how I am using this to reduce the size for storing logged errors.

I generate the hash (256) in my case of the error report, store the hash and the error text if not already on file. Any additional occurrence of the same error report only make a reference.

By the way to handle your issue I pushed a commit to get Viktor Szakats's contrib of bcrypt and other fixes.

https://github.com/harbour/core/pull/318

Hope this helps, Eric

Antonio Linares

unread,

Jun 10, 2024, 11:51:33 PMJun 10

to Harbour Developers

Dear Marcos,

> The hash system used by Harbour is not very efficient and can be hacked. Every time a hash is generated on a key, it generates the same hash which can be hacked using a hash dictionary.

Would you please provide an example how to do this ? thanks

best regards

Marcos Jarrin

unread,

Jun 12, 2024, 1:19:01 AMJun 12

to Harbour Developers

Link to the c code of the php implementation of password_hash

https://github.com/php/php-src/blob/master/ext/standard/password.c

Marcos Jarrin

unread,

Jun 12, 2024, 1:19:02 AMJun 12

to Harbour Developers

Good evening

When using password_hash(), the returned value includes the salt as part of the generated hash. This value should be stored as is in the database, as it includes information about the hash function that was used and thus directly provided to password_verify() or crypt() when verifying passwords.

Code PHP

<?php

// Your code here!

echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT)."\n";

?>

Output

$2y$10$efkdoqsodqm69U5Vz9Z5j.W7KmY0o8KdO/fcZJ5pj3Tg1ZJHjFfKy

$2y$10$ckpfhWgK361rZteBDJ4sAu5.SFpb/bZb7KN8AUStzXMd3ZOzjVnpe

$2y$10$yIkEo01XCKxdPQ3THvvSMOqnd8v7ZMgGGkkBy4nH8BUkYHq.AlM3G

$2y$10$YH.ZANzWReHUwe.n9HfR5unz.dBtQw/qKyWnKE.nbLs1Y8CldlL56

$2y$10$a1tgX85qLqnoi4GTwB35huhM0By8Zaz7XfeFj12/7KNN607Bf0Ati

As you can see the first 7 characters are the same, with this code password_verify can generate the same hash.

Attached is a c file of the implementation of password_hash for PHP.

El lunes, 10 de junio de 2024 a las 22:51:33 UTC-5, Antonio Linares escribió:

password.c

Bacco

unread,

Jun 12, 2024, 1:33:25 PMJun 12

to harbou...@googlegroups.com

IMHO this should be discussed in user's forum

Harbour implementation is ok and we have the most common hashes used

in common applications.Password hashes are a very special use case and

are salted for this specific use.This thread is based on a misconception of

what are hashes and salts, and it's purpose

I recommend following cryptographers like Thomas Pornin on stack exchange

to get a bette understandig. Here one relevant link:

https://security.stackexchange.com/a/31846

indeed, I adapted it to Portuguese too few years ago

https://pt.stackoverflow.com/a/2405/70

see the whole thread if you are interested in password hashing..

Indeed, by understanding the basics you can replicate php hashes with harbour

functions easily, in few lines.

Again: Harbour, as it became a general purpose language, should provide the

basic building blocks, such special case uses can be provided with additional

libraries.

Regards,

Bacco

--
You received this message because you are subscribed to the Google Groups "Harbour Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to harbour-deve...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/harbour-devel/e2359681-02f5-48c5-b2bd-b3fc1e420427n%40googlegroups.com.

Bacco

unread,

Jun 12, 2024, 2:02:01 PMJun 12

to harbou...@googlegroups.com

For completeness:

I've been using PHP hashes in Harbour for quite a while, whatcan be improved are the hash options itself.

I'm using this lib specifically to produce PHP compatible passwords with bcrypt hashes, with a simple wrapper in C:

https://github.com/pyca/bcrypt

but note: the hashing, salting and formatting as you see in PHP is all on Harbour side, I just added the lib because i found that bcrypt itself is a common ground to the security I need. Same would apply if you want to use Argon or any hash - format is almost the same:

$identifier$parameters$hash or whatever.

In case of bcrypt you use

$2y (identifier. x and y are a php thing, originally a and b)

$10 (iterations that are a bcrypt parameter)

$salt.hash in a special base64 format

If something can be added to Harbour, it should be the modern base hashes themselves, the PHP/crypto formatting of salts and hashes are already possible with existent hashes, and they would still be easy to do with any base hash added to harbour.