How are these 2 lines of PHP different?
Question
Assuming we have a salt that's in the database and that has been generated like this
$salt = time();
What is the difference between these 2 lines.
$pass1 = hash('sha1', $password . $salt);
$pass2 = hash_hmac('sha1', $password, $salt);
They don't produce the same output. The first one, the hash
function takes 2 params, while the hash_hmac
needs 3 params. You would therefore think that we can get that third extra param by using the $salt
separately (to fulfill the third param) as opposed to concatenating it with the password ($password . $salt
) like we did in line 2. But it's not that simple, the 2 results are different. Why? What is going on exactly here?
Solution
Because HMAC SHA-1 is not the same as SHA-1 with the message and key concatenated. HMAC is more like sha1($salt . sha1($salt . $password))
, but not exactly. Wikipedia has a nice description of HMAC.