Using PEAR::Crypt_HMAC in PHP

By: Andi, Stig and Derick Emailed: 1728 times Printed: 2329 times    

Latest comments
By: rohit kumar - how this program is work
By: Kirti - Hi..thx for the hadoop in
By: Spijker - I have altered the code a
By: ali mohammed - why we use the java in ne
By: ali mohammed - why we use the java in ne
By: mizhelle - when I exported the data
By: raul - no output as well, i'm ge
By: Rajesh - thanx very much...
By: Suindu De - Suppose we are executing

The Crypt_HMAC class implements the algorithm as described in RFC 2104 and can be installed with pear install crypt_hmac. Let’s look at it:

class Crypt_HMAC {

/**

* Constructor
* Pass method as first parameter
*
* @param string method - Hash function used for the calculation
* @return void
* @access public

*/

function Crypt_HMAC($key, $method = 'md5')

{

if (!in_array($method, array('sha1', 'md5'))) {

die("Unsupported hash function '$method'.");

}

$this->_func = $method;

/* Pad the key as the RFC wishes (step 1) */

if (strlen($key) > 64) {

$key = pack('H32', $method($key));

}

if (strlen($key) < 64) {

$key = str_pad($key, 64, chr(0));

}

/* Calculate the padded keys and save them (step 2 & 3) */

$this->_ipad = substr($key, 0, 64) ^ str_repeat(chr(0x36),64);

$this->_opad = substr($key, 0, 64) ^ str_repeat(chr(0x5C),64);

}

First, we make sure that the requested underlying hash function is actually supported (for now, only the built-in PHP functions md5() and sha1() are supported). Then, we create a key. Finally, in the constructor, we pre-pad and XOR the key so that the hash() method can be used several times without losing performance by padding the key every time a hash is requested:

/**

* Hashing function
*
* @param string data - string that will hashed (step 4)
* @return string
* @access public

*/

function hash($data)

{

$func = $this->_func;

$inner = pack('H32', $func($this->_ipad . $data));

$digest = $func($this->_opad . $inner);

return $digest;

}

}

?>

In the hash function, we use the pre-padded key. First, we hash the inner result. Then, we hash the outer result, which is the digest (a different name for hash) that we return.

Back to our original problem. We want to verify that no one tampered with our precious $_GET variables. Here is the second, more secure, version of our create_parameters() function:

<?php

require_once('Crypt/HMAC.php');

/* The RFC recommends a key size larger than the output hash

* for the hash function you use (16 for md5() and 20 for sha1()). */

define ('SECRET_KEY', 'Professional PHP 5 Programming Example');

function create_parameters($array)

{

$data = '';

$ret = array();

/* Construct the string with our key/value pairs */

foreach ($array as $key => $value) {

$data .= $key . $value;

$ret[] = "$key=$value";

}

$h = new Crypt_HMAC(SECRET_KEY, 'md5');

$hash = $h->hash($data);

$ret[] = "hash=$hash";

return join ('&amp;', $ret);

}

echo '<a href="script.php?'.

create_parameters(array('cause' => 'vars')).'">err!</a>';

?>

The output is

<a href="script.php?cause=vars&hash=6a0af635f1bbfb100297202ccd6dce53">err!</a>

To verify the parameters passed to the script, we can use this script:

<?php

require_once('Crypt/HMAC.php');

define ('SECRET_KEY', 'Professional PHP 5 Programming Example');

function verify_parameters($array)

{

$data = '';

$ret = array();

/* Store the hash in a separate variable and unset the hash from

* the array itself (as it was not used in constructing the hash

*/

$hash = $array['hash'];

unset ($array['hash']);

/* Construct the string with our key/value pairs */

foreach ($array as $key => $value) {

$data .= $key . $value;

$ret[] = "$key=$value";

}

$h = new Crypt_HMAC(SECRET_KEY, 'md5');

if ($hash != $h->hash($data)) {

return FALSE;

} else {

return TRUE;

}

}

/* We use a static array here, but in real life you would be using

* $array = $_GET or similar. */

$array = array(

'cause' => 'vars',

'hash' => '6a0af635f1bbfb100297202ccd6dce53'

);

if (!verify_parameters($array)) {

die("Dweep! Somebody tampered with our parameters.\n");

} else {

echo "Good guys, they didn't touch our stuff!!";

}

?>

The SHA1 hash method gives you more cryptographic strength, but both MD5 and SHA1 are adequate enough for the purpose of checking the validity of your parameters.


PHP Home | All PHP Tutorials | Latest PHP Tutorials

Sponsored Links

If this tutorial doesn't answer your question, or you have a specific question, just ask an expert here. Post your question to get a direct answer.



Bookmark and Share

Comments(0)


Be the first one to add a comment

Your name (required):


Your email(required, will not be shown to the public):


Your sites URL (optional):


Your comments:



More Tutorials by Andi, Stig and Derick
Execution Lifetime of a PHP script
preg_split() and explode() in PHP
preg_replace() and preg_replace_callback() in PHP
preg_match(), function preg_match_all(), preg_grep() in PHP
tmpfile() in PHP
Renaming and Removing Files in PHP
Locking files in PHP
File Handling in PHP
Handling BLOB in PHP and MySQL
Using Sessions in PHP
Using Cookies in PHP
Using PEAR::Crypt_HMAC in PHP
Using HMAC Verification in PHP
Input Validation in PHP
__autoload() METHOD in PHP

More Tutorials in PHP
PHP code to import from CSV file to MySQL
PHP code to write to a CSV file from MySQL query
PHP code to write to a CSV file for Microsoft Applications
Convert XML to CSV in PHP
Password must include both numeric and alphabetic characters - Magento
PHP file upload (Large Files)
PHP file upload prompts authentication for anonymous users
PHP file upload with IIS on windows XP/2000 etc
Error: Length parameter must be greater than 0
Multiple File Upload in PHP using IFRAME
Resume or Pause File Uploads in PHP
Exception in module wampmanager.exe at 000F15A0 in Windows 8
Handling file locks in PHP
HTML table output using Nested for loops in PHP
Count occurrences of a character in a String in PHP

More Latest News
Most Viewed Articles (in PHP )
isset() function in PHP
Parent: child process exited with status 3221225477 -- Restarting
Different versions of PHP - History and evolution of PHP
preg_replace() and preg_replace_callback() in PHP
A Basic Example using PHP in AWS (Amazon Web Services)
public, protected, and private Properties in PHP
Using Cookies in PHP
Handling BLOB in PHP and MySQL
Renaming and Removing Files in PHP
Reading word by word from a file in PHP
Installing PHP 5.x with Apache 2.x on HP UX 11i and configuring PHP 5.x with Oracle 9i
Installing PHP with nginx-server under windows
Function to return number of digits of an integer in PHP
History and origin of PHP
.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
Most Emailed Articles (in PHP)
.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
Different versions of PHP - History and evolution of PHP
The new keyword and constructors in PHP
public, protected, and private Methods in PHP
preg_replace() and preg_replace_callback() in PHP
Iterating Through an Array in PHP
Appending One Array to Another in PHP
Decrypting files using GnuPG (GPG) via PHP
Setting up PHP in Windows 2003 Server IIS7, and WinXP 64
Running different websites on different versions of PHP in Windows 2003 & IIS6 platform
Warning: session_start(): open .... failed - PHP error
Malware: global $ob_starting;
Function to convert strings to strict booleans in PHP
Function to sort array by elements and count of element in PHP
Error: Length parameter must be greater than 0