问题
Assuming we have a salt that's in the database and that has been generated like this
$salt = time();
What is the difference between these 2 lines.
$pass1 = hash('sha1', $password . $salt);
$pass2 = hash_hmac('sha1', $password, $salt);
They don't produce the same output. The first one, the hash function takes 2 params, while the hash_hmac needs 3 params. You would therefore think that we can get that third extra param by using the $salt separately (to fulfill the third param) as opposed to concatenating it with the password ($password . $salt) like we did in line 2. But it's not that simple, the 2 results are different. Why? What is going on exactly here?
回答1:
Because HMAC SHA-1 is not the same as SHA-1 with the message and key concatenated. HMAC is more like sha1($salt . sha1($salt . $password)), but not exactly. Wikipedia has a nice description of HMAC.
来源:https://stackoverflow.com/questions/1629415/how-are-these-2-lines-of-php-different