Current Location: Home> Latest Articles> Hash_final security practices in combination with openssl function

Hash_final security practices in combination with openssl function

gitbox 2025-05-19

In PHP, hash_final is part of the hash context, used to complete hash calculations and return the final digest. Security practice is particularly important when you use it with openssl series functions (such as openssl_encrypt , openssl_decrypt , openssl_sign , etc.) that involves encryption, decryption or signature of sensitive data. This article will dive into how to safely combine these two tools, avoid common pitfalls, and provide secure code examples.

1?? Understand the basic usage of hash_final

hash_final is used in conjunction with hash_init and hash_update to calculate hash in step by step:

 $context = hash_init('sha256');
hash_update($context, 'data part 1');
hash_update($context, 'data part 2');
$hash = hash_final($context);

? Notice :

  • Once hash_final is called, the context cannot be used to continue updating.

  • The resulting $hash is in binary form unless a true parameter is passed in.

Example:

 $hash = hash_final($context, true); // raw binary

Why focus on binary? Because some functions of openssl (such as openssl_encrypt ) require that the key or IV (initialization vector) is strictly length binary data.

2?? Safely combined with openssl function

When you use hash_final to generate a key or IV and pass it into openssl , special attention needs to be paid to:

? Ensure the length is consistent

  • For example, AES-128 requires a 16-byte key; if you have sha256 , substr needs to intercept the first 16 bytes.

? Use original binary mode

  • Do not use the default hexadecimal output (64 bytes) as the key, openssl_encrypt requires the actual byte length, not the string.

Example:

 $context = hash_init('sha256');
hash_update($context, 'my secret passphrase');
$rawKey = hash_final($context, true); // 32 bytes (sha256 output)

$key = substr($rawKey, 0, 16); // For AES-128
$iv = substr($rawKey, 16, 16); // Use next 16 bytes as IV

3?? Recommended security code practices

Complete security example: Use hash_final to derive the key, and encrypt the data in conjunction with openssl_encrypt .

 <?php

$passphrase = 'super_secret_password';
$data = 'Sensitive data to encrypt';

// Derive key + IV from passphrase
$context = hash_init('sha256');
hash_update($context, $passphrase);
$rawHash = hash_final($context, true); // 32 bytes

$key = substr($rawHash, 0, 16); // AES-128 key
$iv = substr($rawHash, 16, 16); // IV

// Encrypt data
$ciphertext = openssl_encrypt(
    $data,
    'AES-128-CBC',
    $key,
    OPENSSL_RAW_DATA,
    $iv
);

// Encode ciphertext for transport (e.g., base64)
$encoded = base64_encode($ciphertext);
echo "Encrypted: $encoded\n";

// Decrypt
$decoded = base64_decode($encoded);
$decrypted = openssl_decrypt(
    $decoded,
    'AES-128-CBC',
    $key,
    OPENSSL_RAW_DATA,
    $iv
);
echo "Decrypted: $decrypted\n";
?>

The URL used here (if you need to send encrypted data) should be:

 https://gitbox.net/api/submit
Related