Longhorn PHP 2023 - Call for Papers


(PHP 4 >= 4.0.4, PHP 5, PHP 7, PHP 8)

mhash_keygen_s2kGenerates a key


This function has been DEPRECATED as of PHP 8.1.0. Relying on this function is highly discouraged.


    int $algo,
    string $password,
    string $salt,
    int $length
): string|false

Generates a key according to the given algo, using an user provided password.

This is the Salted S2K algorithm as specified in the OpenPGP document (» RFC 2440).

Keep in mind that user supplied passwords are not really suitable to be used as keys in cryptographic algorithms, since users normally choose keys they can write on keyboard. These passwords use only 6 to 7 bits per character (or less). It is highly recommended to use some kind of transformation (like this function) to the user supplied key.



The hash ID used to create the key. One of the MHASH_hashname constants.


An user supplied password.


Must be different and random enough for every key you generate in order to create different keys. Because salt must be known when you check the keys, it is a good idea to append the key to it. Salt has a fixed length of 8 bytes and will be padded with zeros if you supply less bytes.


The key length, in bytes.

Return Values

Returns the generated key as a string, or false on error.


Version Description
8.1.0 This function has been deprecated. Use the hash_*() functions instead.

add a note

User Contributed Notes 3 notes

alix dot axel+php at gmail dot com
10 years ago
I looked into mhash and PHP source code and I've ported this function to pure PHP:


function keygen_s2k($hash, $password, $salt, $bytes)
$result = false;

    if (
extension_loaded('hash') === true)
$times = $bytes / ($block = strlen(hash($hash, null, true)));

        if (
$bytes % $block != 0)

        for (
$i = 0; $i < $times; ++$i)
$result .= hash($hash, str_repeat("\0", $i) . $salt . $password, true);


16 years ago
Correction to ray ferguson post,

As said in the doc : "mhash_keygen_s2k generates a key that is bytes long, from a user given password and use the specified hash algorithm to create the key." if It wasn't clear to anyone.

The non mhash function is good as long you do not need a key longer than native MD5 hash (16 bytes)  it wont give you more.

So the non mhash function work OK but they ARE NOT the same thing.

Just try ray ferguson exemple asking for a 32 bytes key.

Returning a substring longer than the packed 16 bytes string won't add anything to the string. Salted S2K algorithm does add to the key.  So better use mhash lib or create something more alike the RFC 2440 specs.

I know the post is late on regard to Ray's post but if it can help someone not waisting time like me.
19 years ago
// given random 8 bits of salt and a clear text password

$clear_pw = "p4ssw0rd" ;
$rand8bites4salt = substr(pack("h*", md5(mt_rand())) , 0, 8);

// This

mhash_keygen_s2k(MHASH_MD5, $clear_pw, $rand8bites4salt, 4) ;

//is the same as this

function myhash_keyge_s2k($pass, $salt, $bytes ){
      return substr(pack("H*", md5($salt . $pass)), 0, $bytes);

myhash_keyge_s2k($clear_pw, $rand8bites4salt, 4);

// But the latter doesn't require mhash libs.

// -ray ferguson
To Top