Introduction

This extension provides functions that can be used for direct or incremental processing of arbitrary length messages using a variety of hashing algorithms, including the generation of HMAC values and key derivations including HKDF and PBKDF2.

There are roughly three categories of hashing algorithms, and a complete list of algorithms can be found in the documentation for hash_algos.

  • Checksum algorithms (such as "crc32b" or "adler32"): These are used to calculate checksums, useful in situations such as when transmission errors are to be detected. They are often very fast. These algorithms often generate values that are easily "guessable" or can be manipulated to create collisions, so they are entirely unsuitable for cryptographic use.
  • Non-cryptographic algorithms (such as the xxHash family): These are often used to calculate hash values for hash tables, as they are designed to yield a good distribution over arbitrary string inputs. They are also generally fast, but also not suitable for cryptographic use.
  • Cryptographic algorithms (such as the SHA-2 family): These are designed to yield hash values that are representative of their inputs but are not guessable nor prone to collisions. Performance is often a secondary concern, but modern hardware often supports special handling for these algorithms that PHP tries to use when available. The Computer Security Resource Center of the NIST has » explanation of the algorithms currently approved by United States Federal Information Processing Standards.
    Caution

    Some of the early cryptographic algorithms, such as "md4", "md5", and "sha1", have been proven to be prone to collision attacks and it is generally recommended to no longer use these for cryptographic applications.

See also the FAQ on Safe Password Hashing for information on best practices for using hash functions in handling passwords.