Can you convert the output of php crypt() to valid MD5?

Asked 20/1, 2009 at 15:36 Answered 10/2, 2010 at 15:5

I have some strings that have been encrypted using the PHP function crypt().

The outputs look something like this:

$1$Vf/.4.1.$CgCo33ebiHVuFhpwS.kMI0
$1$84..vD4.$Ps1PdaLWRoaiWDKCfjLyV1
$1$or1.RY4.$v3xo04v1yfB7JxDj1sC/J/

While I believe crypt() is using the MD5 algorithm, the outputs are not valid MD5 hashes.

Is there a way of converting the produced hashes into valid MD5 hashes (16-byte hex values)?

Update:

Thanks for the replies so answers so far. I'm pretty sure the crypt function used is using some sort of MD5 algorithm. What I'm looking to do is convert the ouput that I have into an MD5 hash that looks something like the following:

9e107d9d372bb6826bd81d3542a419d6  
e4d909c290d0fb1ca068ffaddf22cbd0  
d41d8cd98f00b204e9800998ecf8427e

(taken from Wikipedia)

Is there a way of converting from the hashes I have to ones like the above?

Hannus answered 20/1, 2009 at 15:36 Comment(4)

Could you please expound a bit on what it is you're trying to accomplish? No offense meant, but this sounds like step 1 in a recipe on how to conduct a rainbow table attack on a password database, and people might be reluctant to help unless convinced it's not for evil purposes... – Jahdai 20/1, 2009 at 16:18

One result is base64 encoded, the other is just base16 encoded. – Cowart 20/1, 2009 at 16:28

@genesis: Why are you changing the URL linked to, but not the one shown on the page? – Merrill 13/11, 2011 at 15:13

@PaloEbermann: Because I have forgotten that one – Hearttoheart 13/11, 2011 at 21:5

OK, so maybe this answer is a year late, but I'll give it a shot. In your own answer, you note that crypt() is using the FreeBSD MD5, which also does some interesting transformations on the salt before running the hash, so the result of what I'm about to give you will never quite match up with the results of a call to md5(). That said, the only difference between the output you are seeing and the format you are used to is that the output you are seeing is encoded as follows

$1$        # this indicates that it is MD5
Vf/.4.1.   # these eight characters are the significant portion of the salt
$          # this character is technically part of the salt, but it is ignored
CgCo33eb   # the last 22 characters are the actual hash
iHVuFhpw   # they are base64 encoded (to be printable) using crypt's alphabet
S.kMI0     # floor(22 * 6 / 8) = 16 (the length in bytes of a raw MD5 hash)

To my knowledge, the alphabet used by crypt looks like this:

./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz

So, with all of this borne in mind, here is how you can convert the 22 character crypt-base64 hash into a 32 character base16 (hexadecimal) hash:

First, you need something to convert the base64 (with custom alphabet) into a raw 16-byte MD5 hash.

define('CRYPT_ALPHA','./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz');
/**
 * Decodes a base64 string based on the alphabet set in constant CRYPT_ALPHA
 * Uses string functions rather than binary transformations, because said
 * transformations aren't really much faster in PHP
 * @params string $str  The string to decode
 * @return string       The raw output, which may include unprintable characters
 */
function base64_decode_ex($str) {
    // set up the array to feed numerical data using characters as keys
    $alpha = array_flip(str_split(CRYPT_ALPHA));
    // split the input into single-character (6 bit) chunks
    $bitArray = str_split($str);
    $decodedStr = '';
    foreach ($bitArray as &$bits) {
        if ($bits == '$') { // $ indicates the end of the string, to stop processing here
            break;
        }
        if (!isset($alpha[$bits])) { // if we encounter a character not in the alphabet
            return false;            // then break execution, the string is invalid
        }
        // decbin will only return significant digits, so use sprintf to pad to 6 bits
        $decodedStr .= sprintf('%06s', decbin($alpha[$bits]));
    }
    // there can be up to 6 unused bits at the end of a string, so discard them
    $decodedStr = substr($decodedStr, 0, strlen($decodedStr) - (strlen($decodedStr) % 8));
    $byteArray = str_split($decodedStr, 8);
    foreach ($byteArray as &$byte) {
        $byte = chr(bindec($byte));
    }
    return join($byteArray);
}

Now that you've got the raw data, you'll need a method to convert it to the base-16 format you're expecting, which couldn't be easier.

/**
 * Takes an input in base 256 and encodes it to base 16 using the Hex alphabet
 * This function will not be commented.  For more info:
 * @see http://php.net/str-split
 * @see http://php.net/sprintf
 *
 * @param string $str   The value to convert
 * @return string       The base 16 rendering
 */
function base16_encode($str) {
    $byteArray = str_split($str);
    foreach ($byteArray as &$byte) {
        $byte = sprintf('%02x', ord($byte));
    }
    return join($byteArray);
}

Finally, since the output of crypt includes a lot of data we don't need (and, in fact, cannot use) for this process, a short and sweet function to not only tie these two together but to allow for direct input of output from crypt.

/**
 * Takes a 22 byte crypt-base-64 hash and converts it to base 16
 * If the input is longer than 22 chars (e.g., the entire output of crypt()),
 * then this function will strip all but the last 22.  Fails if under 22 chars
 *
 * @param string $hash  The hash to convert
 * @param string        The equivalent base16 hash (therefore a number)
 */
function md5_b64tob16($hash) {
    if (strlen($hash) < 22) {
        return false;
    }
    if (strlen($hash) > 22) {
        $hash = substr($hash,-22);
    }
    return base16_encode(base64_decode_ex($hash));
}

Given these functions, the base16 representation of your three examples are:

3ac3b4145aa7b9387a46dd7c780c1850
6f80dba665e27749ae88f58eaef5fe84
ec5f74086ec3fab34957d3ef0f838154

Of course, it is important to remember that they were always valid, just formatted differently.

Haste answered 10/2, 2010 at 15:5 Comment(5)

I'm afraid md5-crypt's output does not just differ from a md5 hash by just base64-encoding with a custom alphabet. Looking at one of the instances of the implementation, google.com/codesearch/p?hl=en#eiS4vny31P0/Linux-PAM-0.99.7.0/… md5-crypt also massages hashes in such a way as to make the encryption computation-intensive (relatively to the computational power available at the time, see the comment about a 60MHz Pentium). The solution you provide does not invert that transformation. – Asha 17/12, 2010 at 2:52

Holy crap, coming back from beyond the grave to downvote me, and furthermore not on the basis of the question? The issue at hand was that the values coming out of the crypt() function didn't LOOK like the asker wanted them to -- this was a solution to the asker's issue with the visual representation of the hash, not making the hash produced by md5() equitable to the hash produced by crypt(). In my humble opinion, this is not what the downvote button is for. – Haste 21/12, 2010 at 16:40

The base64 encoded versions don't have padding. The hashes are 128 bits long so after stepping through it 6 bit at a time you will have 2 bits remaining. An obvious solution is to use these as LSBs and use the index as usual. The strange thing is that although each of the provided hashes end in 00 bitpairs, the last character of their base64 representation (from the Q) differ. Can you please explain this? – Swindle 4/8, 2013 at 14:43

@buherator, (1/2) sorry I didn't notice this sooner. First, 22 chars x 6 bits = 132 bits of data. We could take the extra 4 bits from 132 Mod 8 and create another byte, but this is unlikely to be the correct solution because (a) it means we could only ever generate output for the last byte in a very specific range (either high or low order), which seems unlikely, and (b) the length of an MD5 hash is known at 128 bits. This seems to indicate that the remaining 4 bits can be discarded, but going down this path led me to another, in the next comment. – Haste 22/9, 2015 at 18:26

@buherator, (2/2). After analyzing the sample hashes, I noticed that there was always a little data left over that I was truncating in the last four bits; in fact, it seemed that the last character was always a relatively low number that would only have data in the last two bits. This most likely means one of two things (possibly both): (a) My custom B64 alphabet is wrong. (b) The values are serialized in little-endian order. Testing makes the second case seem more likely, and using strrev around sprintf in base64_decode_ex fixes it. – Haste 22/9, 2015 at 18:32

$1$ indeed means that this is a MD5 hash, but crypt generates a random salt. This is why you find a different MD5 value. If you include the generated salt you will find the same result.

The salt is base64 encoded in the output, as the hash.

The algorithm used is a system wide parameter. Generally this is MD5, you are right.

Cowart answered 20/1, 2009 at 15:50 Comment(0)

I believe the answer to my original question is no, you can't convert from one format to the other.

The hashes generated by php crypt() appear to be generate by a version of the FreeBSD MD5 hash implementation created by Poul-Henning Kamp.

http://people.freebsd.org/~phk/

Hannus answered 21/1, 2009 at 16:2 Comment(0)

From the documentation, this depends on the system. You can force the algorithm used by setting the salt parameter. From the docs:

The encryption type is triggered by the salt argument. At install time, PHP determines the capabilities of the crypt function and will accept salts for other encryption types. If no salt is provided, PHP will auto-generate a standard two character salt by default, unless the default encryption type on the system is MD5, in which case a random MD5-compatible salt is generated.

Frederickson answered 20/1, 2009 at 15:47 Comment(0)

From http://php.net/crypt:

crypt() will return an encrypted string using the standard Unix DES-based encryption algorithm or alternative algorithms that may be available on the system.

You want the md5() function:

Calculates the MD5 hash of str using the » RSA Data Security, Inc. MD5 Message-Digest Algorithm, and returns that hash.
If the optional raw_output is set to TRUE, then the md5 digest is instead returned in raw binary format with a length of 16. Defaults to FALSE.

Canales answered 20/1, 2009 at 15:49 Comment(1)

Actually, one of the alternative algorithms (this one indicated by $1$ ) is a (salted) MD5 algorithm. – Merrill 13/11, 2011 at 15:20

Recommended topics

Hot tags