Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:61307
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 5448 invoked from network); 16 Jul 2012 14:21:12 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Jul 2012 14:21:12 -0000
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.170 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.216.170 mail-qc0-f170.google.com  
Received: from [209.85.216.170] ([209.85.216.170:47995] helo=mail-qc0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 52/16-11081-75324005 for <internals@lists.php.net>; Mon, 16 Jul 2012 10:21:11 -0400
Received: by qcmt36 with SMTP id t36so3773055qcm.29
        for <internals@lists.php.net>; Mon, 16 Jul 2012 07:21:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=Mz5Yl2eh3Uf2mq4RkDzZ4eCYIFrgzky0Gyr/FMQgDpY=;
        b=P8dyBmx384GCKxCIuL6aXlKH+Y+k9Z+C/BTv5AihUt1/sv7WInaYcSJcHRiXUv7dBX
         H9yeHd2rYUKYhgY+VzHZjxULV+rOYHiFji0aCv98v549QiPtfeTXFQaPkn+A6L95cR4b
         kCcX6ogDeyU9szQ/0Wbozn2W/a0tkdPSXJ9wmHgpHzOH8k2BRPM3QVxijEEyk8YLWl6q
         mb/NwfDVB4h8Kvsd3WZdTo04Iz1Y8Mvlh8G603UngR9LGa35K2/BzBL6nRdOny2tc30Q
         1ftx2DKuYOoEIIrG7tjLQ5TcoD+djyuLtbFtcih40R5tUlOckv2MV4d2X/lqjoV5cNAt
         39Jg==
MIME-Version: 1.0
Received: by 10.229.136.131 with SMTP id r3mr6171103qct.145.1342448468922;
 Mon, 16 Jul 2012 07:21:08 -0700 (PDT)
Received: by 10.229.182.4 with HTTP; Mon, 16 Jul 2012 07:21:08 -0700 (PDT)
In-Reply-To: <CAN+gjSe7OR2S0gUON27_thx4dPPvsnj_24a4dxfieL_0mzvFZg@mail.gmail.com>
References: <CAF+90c9c-LuEzXyWJYfkQ5ycNYYRTqBB+0NhZDEkhGeQQaeEpw@mail.gmail.com>
	<CAN+gjSe7OR2S0gUON27_thx4dPPvsnj_24a4dxfieL_0mzvFZg@mail.gmail.com>
Date: Mon, 16 Jul 2012 10:21:08 -0400
Message-ID: <CAAyV7nHz_0HEV3_E2qJzYMvKUZUzz3vui-2vHZbH=hu3wBLXSQ@mail.gmail.com>
To: Andrew Faulds <ajfweb@googlemail.com>
Cc: Nikita Popov <nikita.ppv@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=00248c768f9e1e913104c4f3240c
Subject: =?ISO-8859-1?Q?Re=3A_=5BPHP=2DDEV=5D_Random_string_generation_=28=E1_la_passwo?=
	=?ISO-8859-1?Q?rd=5Fmake=5Fsalt=29?=
From: ircmaxell@gmail.com (Anthony Ferrara)

--00248c768f9e1e913104c4f3240c
Content-Type: text/plain; charset=ISO-8859-1

I like the concept in principle. But implementing it is non trivial.

First, you need a base-conversion function that will allow you to convert
between arbitrary bases (base_convert() won't work, because it only works
on fixed bases, and on numbers < INT_MAX)... Here's a utility class that
does just that:
https://github.com/ircmaxell/PHP-CryptLib/blob/master/lib/CryptLib/Core/BaseConverter.php

It works on arrays internally, since they are easier to work with in PHP,
but in C I would make it work with a char* array instead...

As far as the implementation itself, I would also add a third parameter for
crypto_safe. We could take mcrypt_create_iv's approach, and use DEV
constants:

// Crypto Secure
random_string(24, "chars", DEV_RANDOM);

// Crypto Strong, But Not Secure
random_string(24, "chars", DEV_URANDOM);

// Non-Crypto
random_string(24, "chars", DEV_RAND);

Having it default to DEV_RAND...



If this is something that's desired, I can update the password
implementation to include this change (since it depends on a function like
this internally)...

Anthony

On Mon, Jul 16, 2012 at 9:58 AM, Andrew Faulds <ajfweb@googlemail.com>wrote:

> This sounds very useful. To make it easier to use, why not also add
> some string constants, something like CHARS_HEX, CHARS_BASE64,
> CHARS_DECIMAL, etc? Then you could just do `random_string(24,
> CHARS_HEX);` to get a 24-char hex string.
>
> On 16 July 2012 14:54, Nikita Popov <nikita.ppv@gmail.com> wrote:
> > Hi all,
> >
> > I just want to throw a quick thought in here:
> >
> > The password API proposal includes a function called
> > password_make_salt(), that basically creates a random string, either
> > in raw binary form, or in the bcrypt salt format. Personally I don't
> > see much use for the function in the salt context as the password API
> > already generates the salt all by itself, but I do see a lot of use
> > for a random string function in general. People commonly want to
> > create random strings according to some format. Like CSRF tokens, ids,
> > etc.
> >
> > So my thought was to drop password_make_salt() and instead add some
> > kind of generalized random_string() function:
> >
> >     // this is a 20 byte random binary string
> >     $str = random_string(20);
> >
> >     // ten random hex characters
> >     $str = random_string(10, "0123456789ABCDEF");
> >
> >     // 15 characters from the bcrypt alphabet 0-9a-zA-Z./
> >     $str = random_string(15,
> > "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./");
> >
> >     // if it's not too hard to implement, one could support this kind
> > of shortcut:
> >     $str = random_string(15, "0-9a-zA-Z./");
> >
> > Thoughts?
> >
> > Nikita
> >
> > --
> > PHP Internals - PHP Runtime Development Mailing List
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
>
>
> --
> Andrew Faulds (AJF)
> http://ajf.me/
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--00248c768f9e1e913104c4f3240c--