• 0

2 Questions about Hash Strings

Asked by Brian Miller,

 Share

Question

Grand Master

Brian Miller

Posted
Posted (edited)

When I generate a hash (say SHA256 or SHA512) , the hash string is composed of a combination of a-f and 0-9.

 

  1. Is there a way to generate a hash string that is composed of a-z, A-Z and 0-9? 
  2. Is there away to control what characters are used so if I only wanted m-z, A-L, 0-9 and "-_=*^#@!()[]{}<>;:,.?" that would be a possibility?
Link to comment
https://www.neowin.net/forum/topic/1369666-2-questions-about-hash-strings/
Share on other sites

11 answers to this question

Recommended Posts

  • 0
Veteran

ZakO

Posted
Posted (edited)

You could base36 encode the hash output to give you a string composed of a-z0-9 (or write a simple custom cipher to map to whatever set of characters you want) but I can't think of a reason why you would want to do this?

  • 0
Grand Master

Brian Miller

Posted
  • Author
Posted

Understanding why it's needed is my business. But thank you.

 

Secondly ,PHP does this when creating a session. You are able to customize it's sid_bits_per_character to 6, which does a-zA-Z and 0-9; thus I assumed there is a method to specify what values you want to be included as the components of the hash.

  • 0
Veteran

ZakO

Posted
Posted (edited)

You assumed wrong. What PHP is doing is completely independent of the hashing method, it's simply taking the bits returned from (any) hashing method and rather than displaying them as a hexadecimal representation it's encoding them into a string using a character set of their choosing, just as I said you could do:

  


static char hexconvtab[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,-";

static void bin_to_readable(unsigned char *in, size_t inlen, char *out, size_t outlen, char nbits) /* {{{ */
{
	unsigned char *p, *q;
	unsigned short w;
	int mask;
	int have;

	p = (unsigned char *)in;
	q = (unsigned char *)in + inlen;

	w = 0;
	have = 0;
	mask = (1 << nbits) - 1;

	while (outlen--) {
		if (have < nbits) {
			if (p < q) {
				w |= *p++ << have;
				have += 8;
			} else {
				/* Should never happen. Input must be large enough. */
				ZEND_ASSERT(0);
				break;
			}
		}

		/* consume nbits */
		*out++ = hexconvtab[w & mask];
		w >>= nbits;
		have -= nbits;
	}

	*out = '\0';
}

https://github.com/php/php-src/blob/master/ext/session/session.c#L269

 

 

I asked why because I hope you're not using this for security purposes, based on the fact that you had to ask this question in the first place you're more likely to end up reducing security rather than increasing it. 

Edited by ZakO
  • Brian Miller and goretsky
  • Like 1
  • Thanks 1
  • 0
Grand Master

+Fahim S. MVC

Posted
  • MVC
Posted

1. No you can only have one of A-Z or a-z.  This can be done by encoding the string that your hashing algorithm to something that is hex.

2. No, this defeats the point of a hash.  I can't think of a good reason for doing this.

  • 0
Grand Master

Brian Miller

Posted
  • Author
Posted (edited)
  On 05/08/2018 at 11:20, Fahim S. said:

1. No you can only have one of A-Z or a-z.  This can be done by encoding the string that your hashing algorithm to something that is hex.

2. No, this defeats the point of a hash.  I can't think of a good reason for doing this.

Expand  

Thanks.

It's funny when I make inquiries, rather than answering I am offered personal opinions of understanding.  

 

While you offered some answers, you added your ego (or lack of worldly experience) in to the mix.  You do not need to know why I want something.  The comment of "I can't think of a good reason for doing this" is naive and immature.  Of course you cannot think of a good reason to do this; it's because you haven't lived my life; surely you understand that. But mostly that comment is completely a relevant.

 

In future, just answer the question and don't interject your immaturity in to your response.

 

Cheers mate.

Edited by Brian Miller
  • 0
Grand Master

Brian Miller

Posted
  • Author
Posted
  On 05/08/2018 at 10:51, ZakO said:

You assumed wrong. What PHP is doing is completely independent of the hashing method, it's simply taking the bits returned from (any) hashing method and rather than displaying them as a hexadecimal representation it's encoding them into a string using a character set of their choosing, just as I said you could do:

   


static char hexconvtab[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,-";

static void bin_to_readable(unsigned char *in, size_t inlen, char *out, size_t outlen, char nbits) /* {{{ */
{
	unsigned char *p, *q;
	unsigned short w;
	int mask;
	int have;

	p = (unsigned char *)in;
	q = (unsigned char *)in + inlen;

	w = 0;
	have = 0;
	mask = (1 << nbits) - 1;

	while (outlen--) {
		if (have < nbits) {
			if (p < q) {
				w |= *p++ << have;
				have += 8;
			} else {
				/* Should never happen. Input must be large enough. */
				ZEND_ASSERT(0);
				break;
			}
		}

		/* consume nbits */
		*out++ = hexconvtab[w & mask];
		w >>= nbits;
		have -= nbits;
	}

	*out = '\0';
}

https://github.com/php/php-src/blob/master/ext/session/session.c#L269

 

 

I asked why because I hope you're not using this for security purposes, based on the fact that you had to ask this question in the first place you're more likely to end up reducing security rather than increasing it. 

Expand  

 

Thanks dude, that's what I thought too.  I like your idea of the Base encoding it, I may use Base56.

 

The reason I had asked is because I wanted to learn about forming such strings, and not necessarily for any foolish attempt at security.  The formation of BitCoin addresses such as "1BoNtSLRHtKNngkdx3e0bR7gb53L3TtpYt" first peeked my curiosity, then when I discovered PHP sessions can also include  a-zA-Z and 0-9 when setting it's sid_bits_per_character to 6 prompted me to enquire with learned people here.

 

  • 0
Grand Master

+Fahim S. MVC

Posted
  • MVC
Posted
  On 06/08/2018 at 03:26, Brian Miller said:

Thanks.

It's funny when I make inquiries, rather than answering I am offered personal opinions of understanding.  

 

While you offered some answers, you added your ego (or lack of worldly experience) in to the mix.  You do not need to know why I want something.  The comment of "I can't think of a good reason for doing this" is naive and immature.  Of course you cannot think of a good reason to do this; it's because you haven't lived my life; surely you understand that. But mostly that comment is completely a relevant.

 

In future, just answer the question and don't interject your immaturity in to your response.

 

Cheers mate.

Expand  

Err... ok. 

 

As we are offering tips to one-another let me give you one: a bit of context can go a long way in getting an answer.  Developers like solving problems, and without detail of the underlying problem it is difficult to help. 

 

The comment was intended to probe for context (suggest you read about the 5 whys) so that I can try my best (within the bounds of my knowledge) to help you come to an answer quicker.  I apologise for the negative impression that you drew from it.

  • +Nik Louch and SteveL
  • Like 2
  • 0
Proficient

neoraptor

Posted
Posted (edited)
  On 06/08/2018 at 03:26, Brian Miller said:

Thanks.

It's funny when I make inquiries, rather than answering I am offered personal opinions of understanding.  

 

While you offered some answers, you added your ego (or lack of worldly experience) in to the mix.  You do not need to know why I want something.  The comment of "I can't think of a good reason for doing this" is naive and immature.  Of course you cannot think of a good reason to do this; it's because you haven't lived my life; surely you understand that. But mostly that comment is completely a relevant.

 

In future, just answer the question and don't interject your immaturity in to your response.

 

Cheers mate.

Expand  

 

Mate, I see your post count and reputation, but this doesn't mean you should act like an a**hole  You are not paying those people to have such expectations for their answers. From my point of view those were relevant and polite answers and doing their best to help you.

 

...and yes adding my ego is perfectly fine on public forum.

 

Have a nice day!

  • 0
Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,

 

SHA-256 and SHA-512 output their results in hexadecimal notation, which is why you see 0-9 and a-f used in the results--those are the sixteen digits which compose hexadecimal notation.

 

Instead of having to re-write the hashing algorithms to provide your own numbering system, perhaps it would be better to use something like SSDeep, instead, which supports a larger encoding set?

 

Regards,

 

Aryeh Goretsky

 

  • 0
Grand Master

+BudMan MVC

Posted
  • MVC
Posted
  On 06/08/2018 at 03:26, Brian Miller said:

You do not need to know why I want something.

Expand  

You clearly do not understand how forums work... That you got the answers you got is way more than I would ever in a million years given you..  With such a comment when asked why..

  • 0
Grand Master

Seahorsepip Veteran

Posted
  • Veteran
Posted

Just encode the hash, shortest practical encoding I can find is base85.

 

Encoding: input -> SHA256/512 -> base85

Decoding: base85 -> SHA256/512 -> Find input data with hash

 

There are multiple common base encodings: base2(1), base10(2), base16(3), base32, base36, base58, base64(4), base85, base91(5), base128(6)

 

Above base encodings have a default character set of X characters that are being used for encoding, but it's possible to replace those with your own character set.

 

  1. Base encoding of binary data (0 & 1)
  2. Base encoding of a decimal number (0-9)
  3. Base encoding of hexidecimal string like a SHA512 hash (A-F0-9)
  4. Base encoding commonly used for encoding binary data to a string to embed it in websites
  5. Base encoding with most printable characters
  6. Base encoding of a byte and ascii string

 

BUT

If you actually try to encode your hash you will find the string doesn't become shorter ?

 

Original: 

seahorsepip

SHA512:  

F9AA2F6D639C026E3325F31247E8253987D6EC6EEC7E93764F9F3CC25D08FABA7DF95FAF94779CACF22D72F96EEE88D46C90A8CE727944218A1DC272EDA29084

base85:  

mMA+2gdBe&hzWuXfFUKPgCZ^zmL=+Og=E&.gbQ<Fi5:k-mme$4mmf15iwSPLg!6F{gEBI+hafbTmNovbh:*a}hax(3iw-VNiyu81mLV.!h.)&.hBQ56i5<q.hBxFUk@.k2h.)rLg=c%xi6/n!lOZOQmmoA%iwrAH

 

Why doesn't it become shorter?

When you create a hash from data it returns a hash string in the hexadecimal format, also known as base16.

So when you encode the hash as a string using base85 you actually tell the base85 encoder that the input is an ascii string (base128), so that means you're encoding a base128 string to a base85 string which results in a longer instead of shorter string!

 

How to fix this?

Make sure to actually let the base85 encoder know that the input format is base16.

So to do that you can actually convert the hex string to bytes(base128) with hex2bin in php for example and use those bytes as input for the base85 encoder.

This means the encoding would be: input -> SHA256/512(base16) -> bytes(base128) -> base85

 

Original: 

seahorsepip

SHA512:  

F9AA2F6D639C026E3325F31247E8253987D6EC6EEC7E93764F9F3CC25D08FABA7DF95FAF94779CACF22D72F96EEE88D46C90A8CE727944218A1DC272EDA29084

base85:  

}kM8+w1iQrgBqS9n9zlVHT$*f)0+dwpOf+^t)QqrEFElNLY@U0[?1[TzTJtgy(>QvA^p4@IxfMO)v]X}

And even shorter base91 (only 1 char shorter in this example): 

?e#a_*!Og$d0Rh"Y4Qx.=8}^zpmb~^B4aGWI;`W=?}5&b`B3w0Exl`S[GYF#fG9.1,vcLH]LR%LxhzQ

 

And the encoded string is now shorter :D

 

Php libraries to do this:

hex2bin: http://php.net/hex2bin

base85: https://github.com/tuupola/base85

 

So php code to create a shorter hash: 

$shorterHash = $base85->encode(hex2bin(hash($file)))

 

Update:

Seems like you wanted to create a custom base56 encoding, to do that we could manually create functions encode and decode it: 

$base56_digits = '0123456789ABCDEFGHIJKLMNOPQRSTVWXYZabcdefghijklmnopqrstv';
$custom_digits = 'mnopqrstvwxyzABCDEFGHIJKL0123456789-_=*^#@!()[]{}<>;:,.?';

function encode($base16) {
    global $base56_digits, $custom_digits;

    $base56 = base_convert($base16, 16, 56);
    $custom = strtr($base56, $base56_digits, $custom_digits);

    return $custom;
}

function decode($custom) {
    global $base56_digits, $custom_digits;

    $base56 = strtr($custom, $custom_digits, $base56_digits);
    $base16 = base_convert($base56, 56, 16);

    return $base16;
}

But above doesn't work since php base_convert is limited to base36 :(

Instead you can use a magnificent 3rd party library: https://github.com/ArtBIT/base_convert

 

And then you have: 

$custom_digits = 'mnopqrstvwxyzABCDEFGHIJKL0123456789-_=*^#@!()[]{}<>;:,.?';

function encode($base16) {
    global $custom_digits;

    return math\base_convert($base16, 16, $custom_digits);
}

function decode($custom) {
    global $custom_digits;

    return math\base_convert($custom, $custom_digits, 16);
}

Original: 

seahorsepip

SHA512:  

F9AA2F6D639C026E3325F31247E8253987D6EC6EEC7E93764F9F3CC25D08FABA7DF95FAF94779CACF22D72F96EEE88D46C90A8CE727944218A1DC272EDA29084

Custom base56:  

n<^(q8}=_G@x0;B1]K6zD-DF*96yE-6L#_>K8vJ},vCz02m,8yB][4qA^12>.pw>2-?_m,{0L<qFCK:K,2@04)3s:

 

TL;DR

All data is encoded in a specific base, data can be represented as a shorter string by increasing it's base and can be respresented with a smaller character dictionary by decreasing it's base.

 

Oftopic:

  Quote

Stop the bickering back and forth, we're here to learn things and help each other, if someone doesn't want to share why he wants to do something then that's his right.

Though that doesn't mean that you have to be rude about it, if you don't want to share the why, let others know in a respectful manner.

Expand  

 

  • Brandon H and goretsky
  • Like 2
This topic is now closed to further replies.
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • This hidden Windows 11 setting makes the system feel a lot faster

      By escobar_ · Posted

      I honestly think this does not make any noticable difference to anyone with a PC with average specs.
    • OpenAI takes down all traces of Jony Ive "io" deal following court order

      By David Uzondu · Posted

      OpenAI takes down all traces of Jony Ive "io" deal following court order by David Uzondu Early this month, we reported that OpenAI was working on a mobile gadget in the form of a screenless, wearable device, born from a newfound partnership (friendship?) between renowned former Apple designer Jony Ive and OpenAI CEO Sam Altman. The announcement came with a video that had the two men talking about the future of technology. Well, that video has now been made private on YouTube, and the original announcement page has been taken down. The whole thing is on pause because of a simple trademark dispute. OpenAI was forced to pull the materials following a court order. If you visit the original announcement page, it now says: Despite the legal hassle over the name, the actual business deal seems safe. According to Bloomberg's Mark Gurman, the acquisition itself is unaffected by the complaint. So, who is iyO (pronounced eye-oh), the other party in this mess? If the name sounds unfamiliar, its background will not. This iyO company is an independent startup that graduated from X, Alphabet's moonshot factory, and yes, that is the same Alphabet, the parent company of Google. iyO claims to be on a mission to bring "natural language computing" to the masses. A quick look shows two products listed on its website: the Vad Pro, a high-end wired audio device for professionals, and iyO One, a set of AI-powered earbuds the company is calling the "world's first audio computer." A judge reportedly found its trademark lawsuit against OpenAI credible enough to issue the restraining order, suggesting the ChatGPT creator's video could create genuine consumer confusion between the two similarly named ventures.
    • This hidden Windows 11 setting makes the system feel a lot faster

      By eiffel_g · Posted

      I've set since XP - Best performance in the Performance settings. 11 included. I enable only the show shadows after that, so I can see better fonts and mouse.. But hardly I can say I can see a difference today.
    • Next-gen AMD GPUs reported to support HDMI 2.2 with up to 80Gbit/s bandwidth

      By Paul1979UK · Posted

      Yeah this kinda means nothing to me if it's going to be the same mess as HDMI 2.1 where it was difficult to know what features you were getting. It was way too confusing, designed to fool us into thinking we was getting something better with the higher number when a lot of the times we didn't get anything better because companies can add and remove features at will, which if that is the case for 2.2, then who cares lol.
    • Someone wrote a script to block 'brainrot' content online using an $8 smart plug

      By Usama Jawad96 · Posted

      Someone wrote a script to block 'brainrot' content online using an $8 smart plug by Usama Jawad Original image via Neil Chen Many people use smart plugs nowadays due to the various advantages they offer, including automation, integration with mobile software, increased home security, better energy efficiency, and compatibility with other smart products. However, a smart plug customer has gone a step further by enhancing their hardware in a way that it blocks them from viewing "brainrot" content online, or any website, for that matter. As seen in a popular thread over on Hacker News, a person known as "NWChen" has written a script that connects to the $8 Kasa Smart Wi-Fi Plug Mini and utilizes it to restrict access to websites of your choice. In essence, this plug then acts as a physical switch that you can toggle to visit certain websites. NWChen's main motivation behind this initiative was to avoid brainrot, with examples listed as X (formerly known as Twitter), Instagram, YouTube, and Reddit in their blog post. In terms of technical functionality, the smart plug connects to Wi-Fi (obviously) and hosts a physical switch that can be used to turn it on and off. NWChen's script connects to the smart plug via an API and then polls its state. If it's on, websites of your choice get restricted and you can't open them anymore, until you physically get up and turn off the plug, or remove the website from you blocklist. NWChen has recommended plugging in the hardware far away from you so there is sufficient resistance in turning off the plug. In the thread, many have praised this invention, believing that the nature of this mechanism provides enough hurdles where you'd rather just not visit the problematic websites anymore. However, some have noted that "those without self control cannot be trusted if they hold the switch". Some have also highlighted a problem where a user can simply stop the script's execution without much friction. Overall, it's a fairly interesting setup, even if it's fairly rudimentary in nature. Configuring this physical block with a Kasa smart plug is fairly easy. You can simply download the script from the laptop-brick GitHub project here, install it, get the IP address of your smart plug, and then use it when you're executing the script. You can modify the blocklist using a dedicated file present inside the GitHub project.

  • Recent Achievements

    • Conversation Starter
      Brett76 earned a badge
      Conversation Starter
    • One Month Later
      Miguel Batista earned a badge
      One Month Later
    • Dedicated
      moojay67 earned a badge
      Dedicated
    • One Month Later
      Jim Dugan earned a badge
      One Month Later
    • First Post
      Johnny Mrkvička earned a badge
      First Post

  • Popular Contributors

    1. 1
      +primortal
      653
    2. 2
      Michael Scrip
      229
    3. 3
      ATLien_0
      220
    4. 4
      Steven P.
      151
    5. 5
      Xenon
      144
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!