Using HMAC Verification in PHP

By: Andi, Stig and Derick Emailed: 1598 times Printed: 2042 times    

Latest comments
By: rohit kumar - how this program is work
By: Kirti - Hi..thx for the hadoop in
By: Spijker - I have altered the code a
By: ali mohammed - why we use the java in ne
By: ali mohammed - why we use the java in ne
By: mizhelle - when I exported the data
By: raul - no output as well, i'm ge
By: Rajesh - thanx very much...
By: Suindu De - Suppose we are executing

If you need to prevent bad guys from tampering with variables passed in the URL (such as for a redirect as shown previously, or for links that pass special parameters to the linked script), you can use a hash, as shown in the following script:

<?php

function create_parameters($array)

{

$data = '';

$ret = array();

/* For each variable in the array we a string containing

* "$key=$value" to an array and concatenate

* $key and $value to the $data string. */

foreach ($array as $key => $value) {

$data .= $key . $value;

$ret[] = "$key=$value";

}

/* We also add the md5sum of the $data as element

* to the $ret array. */

$hash = md5($data);

$ret[] = "hash=$hash";

return join ('&amp;', $ret);

}

echo '<a href="script.php?'. create_parameters(array('cause' =>'vars')).'">err!</a>';

?>

Running this script echoes the following link:

<a href='script.php?cause=vars&hash=8eee14fe10d3f612589cdef079c025f6'>err!</a>

However, this URL is still vulnerable. An attacker can modify both the variables and the hash. We must do something better. We’re not the first ones with this problem, so there is an existing solution: HMAC (Keyed-Hashing for Message Authentication). The HMAC method is proven to be stronger cryptographically, and should be used instead of home-cooked validation algorithms.

The HMAC algorithm uses a secret key in a two-step hashing of plain text (in our case, the string containing the key/value pairs) with the following steps:

  1. If the key length is smaller than 64 bytes (the block size that most hashing algorithms use), we pad the key to 64 bytes with \0s; if the key length is larger than 64, we first use the hash function on the key and then pad it to 64 bytes with \0s.

  2. We construct opad (the 64-byte key XORed with 0x5C) and ipad (the 64-byte key XORed with 0x36).

  3. We create the "inner" hash by running the hash function with the parameter ipad . plain text. (Because we use an "iterative" hash function, like md5() or sha1(), we don’t need to seed the hash function with our key and then run the seeded hash function over our plain text. Internally, the hash will do the same anyway, which is the reason we padded the key up to 64 bytes).

  4. We create the "outer" hash by running the hash function over opad inner_result — that is, using the result obtained in step 3.

Here is the formula to calculate HMAC, which should help you understand the calculation:

H(K XOR opad, H(K XOR ipad, text))

With

  • H. The hash function to use

  • K. The key padded to 64 bytes with zeroes (0x0)

  • opad. The 64 bytes of 0x5Cs

  • ipad. The 64 bytes of 0x36s

  • text. The plain text for which we are calculating the hash


PHP Home | All PHP Tutorials | Latest PHP Tutorials

Sponsored Links

If this tutorial doesn't answer your question, or you have a specific question, just ask an expert here. Post your question to get a direct answer.



Bookmark and Share

Comments(0)


Be the first one to add a comment

Your name (required):


Your email(required, will not be shown to the public):


Your sites URL (optional):


Your comments:



More Tutorials by Andi, Stig and Derick
Execution Lifetime of a PHP script
preg_split() and explode() in PHP
preg_replace() and preg_replace_callback() in PHP
preg_match(), function preg_match_all(), preg_grep() in PHP
tmpfile() in PHP
Renaming and Removing Files in PHP
Locking files in PHP
File Handling in PHP
Handling BLOB in PHP and MySQL
Using Sessions in PHP
Using Cookies in PHP
Using PEAR::Crypt_HMAC in PHP
Using HMAC Verification in PHP
Input Validation in PHP
__autoload() METHOD in PHP

More Tutorials in PHP
PHP code to import from CSV file to MySQL
PHP code to write to a CSV file from MySQL query
PHP code to write to a CSV file for Microsoft Applications
Convert XML to CSV in PHP
Password must include both numeric and alphabetic characters - Magento
PHP file upload (Large Files)
PHP file upload prompts authentication for anonymous users
PHP file upload with IIS on windows XP/2000 etc
Error: Length parameter must be greater than 0
Multiple File Upload in PHP using IFRAME
Resume or Pause File Uploads in PHP
Exception in module wampmanager.exe at 000F15A0 in Windows 8
Handling file locks in PHP
HTML table output using Nested for loops in PHP
Count occurrences of a character in a String in PHP

More Latest News
Most Viewed Articles (in PHP )
A Basic Example using PHP in AWS (Amazon Web Services)
isset() function in PHP
Using Text file as database in PHP
Parent: child process exited with status 3221225477 -- Restarting
preg_split() and explode() in PHP
Different versions of PHP - History and evolution of PHP
Exception in module wampmanager.exe at 000F15A0 in Windows 8
Function to return number of digits of an integer in PHP
PHP code to write to a CSV file for Microsoft Applications
PHP code to write to a CSV file from MySQL query
GDBM, NDBM, DB2, DB3, DBM, and CDB Databases in PHP
Reading .CSV file in PHP
Constants in PHP
public, protected, and private Properties in PHP
Locking files in PHP
Most Emailed Articles (in PHP)
Interfaces in PHP
Deleting Cookies in PHP
Password protecting a page in PHP
Count occurrences of a character in a String in PHP
The Object (compound) Type in PHP
History and origin of PHP
Getting Started with PHP
.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
Different versions of PHP - History and evolution of PHP
Variables in PHP
isset() function in PHP
unset() and empty() functions in PHP
superglobals in PHP
Integers and Floating-Point Numbers in PHP
Strings in PHP