Why is crypt() generating different results?

问题

Crypt is generating different hashes with the same input data, and the [following] previously functional hash generator/check is no longer working for authenticating users:

public static function blowfish($password, $storedpass = false) {
    //if encrypted data is passed, check it against input ($info) 
      if ($storedpass) { 
            if (substr($storedpass, 0, 60) == crypt($password, "$2y$08$".substr($storedpass, 60))) { 
                return true; 
            }  else { 
                return false; 
            } 
      }  else { 
          //make a salt and hash it with input, and add salt to end 
          $salt = ""; 
          for ($i = 0; $i < 22; $i++) { 
            $salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mt_rand(0, 63), 1); 
          } 
          //return 82 char string (60 char hash & 22 char salt) 
          return crypt($password, "$2y$08$".$salt).$salt; 
     }
}

I'm banging my head against the wall and have found no answers in differences between Zend's internal algorithms vs PHP vs operating system algorithms; or variations between PHP 5.3.8 vs earlier...

EDIT: My question is technically answered, and it is my fault I didn't ask properly. I've implemented:

$salt = substr(bin2hex(openssl_random_pseudo_bytes(22)), 0, 22);
          //for ($i = 0; $i < 22; $i++) { 
            //$salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mt_rand(0, 63), 1); 
          //} 

My real question is; why are the following functions returning differently?

print(substr($storedpass, 0, 60)."<br />");

returns: $2y$08$43f053b1538df81054d4cOJyrO5/j7NtZBCw6LrFof29cLBs7giK6

print(crypt($password, "$2a$08$".substr($storedpass, 60)));

returns: $2a$08$43f053b1538df81054d4cOPSGh/LMc0PZx6RC6PlXOSc61BKq/F6.

回答1:

Because you are creating the salt with the help of random numbers,

The function mt_rand() will create random number each time when you are calling, optionally with min, max parameters. Usually for strong cryptography password hashing, Salt should be generated using a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG).

Then come to your problem, i assume there will be no difference in algorithm between ZEND and php. Because zend is a framework wrapping around the core php, and make use of it.

To verify the password, how the crypt check work is

crypt($password, $stored_hash) == $stored_hash;

Once you stored the hash when you hash first, it will be easy to verify by this.

That is what actually happens here, if you pass the hash as second parameter to the function blowfish, it will return the verification by a bool value, regardless of the salt.

if (substr($storedpass, 0, 60) == crypt($password, "$2y$08$".substr($storedpass, 60))) { 
    return true; 
}  else { 
    return false; 
}

for your information about hashing and security read this

Hope this helps

来源：https://stackoverflow.com/questions/11974091/why-is-crypt-generating-different-results