Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72050
Return-Path: <tjerk.meesters@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 99108 invoked from network); 3 Feb 2014 07:45:38 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 07:45:38 -0000
Authentication-Results: pb1.pair.com smtp.mail=tjerk.meesters@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=tjerk.meesters@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.176 as permitted sender)
X-PHP-List-Original-Sender: tjerk.meesters@gmail.com
X-Host-Fingerprint: 209.85.220.176 mail-vc0-f176.google.com  
Received: from [209.85.220.176] ([209.85.220.176:59691] helo=mail-vc0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E2/B3-15628-F194FE25 for <internals@lists.php.net>; Mon, 03 Feb 2014 02:45:35 -0500
Received: by mail-vc0-f176.google.com with SMTP id la4so4431290vcb.21
        for <internals@lists.php.net>; Sun, 02 Feb 2014 23:45:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=vlqPgO3I29aP5NYPbfUF+2h+u3MjPiL3jvsHxwlaCDk=;
        b=LsfpGUnsaRskh85TFyR+aQ2WBfpXSYNBmChTR1ucfNEDTP2lMmsyRV4TQIpN+AIioB
         sjXftfrQga4cSnytV/4wzhFtlJ0/DtVxknyAJB9a4otpb4uNohKA+RtjpnqvEkpjyKC7
         4S03heZmLryDlDtYprYrgG1d5ztV0Dfa18i+IEp4m3IF40gxjkhJdoj0wlGLKAWZcVWt
         eSA6rSOC4eM7EAlWjauXuB2/IuwSnjprIKRbJhdCEyqbTQlSTa7SY4XuT+kpoiUpcvhw
         NCgkHaLBy6y2VnIta8PGkWCe1nHwND/wL1K08AsxDuerRwZDr7TrboJpZmdMrvNrjJ0D
         Ie/w==
MIME-Version: 1.0
X-Received: by 10.221.29.196 with SMTP id rz4mr12696517vcb.8.1391413532130;
 Sun, 02 Feb 2014 23:45:32 -0800 (PST)
Received: by 10.58.133.229 with HTTP; Sun, 2 Feb 2014 23:45:32 -0800 (PST)
In-Reply-To: <CAEZPtU44pbx+4juoMdN1MjP_Ng3KnnJ_oLM9Ke6MNbXTTxHktA@mail.gmail.com>
References: <CAGa2bXbq1ttBz+hSk20-CkKWvDdHr5+8bBmc04Q22i7K2VSs+A@mail.gmail.com>
	<52EDF552.4010208@divbyzero.net>
	<CAGa2bXYJRUP58x_XSHgXBy0L0Yiprw=UP-suspWtVqkvYHKC2g@mail.gmail.com>
	<CAHMUw2FQ9vHtROk9NZf8Kwd7O2V3Z1uodu29NZOfDAp0B8M+yQ@mail.gmail.com>
	<CAGa2bXaE5f=nY7mOxcB4ZMjronY6j8bA1n+DcOOR+zXnLR_cng@mail.gmail.com>
	<CAHMUw2Eg513-+=BCDywYbZg8B6=Zz9hr=wk3+Fs-8OHfR-=+4A@mail.gmail.com>
	<CAEZPtU44pbx+4juoMdN1MjP_Ng3KnnJ_oLM9Ke6MNbXTTxHktA@mail.gmail.com>
Date: Mon, 3 Feb 2014 15:45:32 +0800
Message-ID: <CAHMUw2FHE68ESOGuk8sAngmowCYwnN+q_Zux_kCu-pLFN-DiLA@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, Martin Jansen <martin@divbyzero.net>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a1133a1c051812e04f17bb54d
Subject: Re: [PHP-DEV] Extending uniqid() or not?
From: tjerk.meesters@gmail.com (Tjerk Meesters)

--001a1133a1c051812e04f17bb54d
Content-Type: text/plain; charset=ISO-8859-1

On Mon, Feb 3, 2014 at 2:25 PM, Pierre Joye <pierre.php@gmail.com> wrote:

> On Mon, Feb 3, 2014 at 5:59 AM, Tjerk Meesters <tjerk.meesters@gmail.com>
> wrote:
> > On Mon, Feb 3, 2014 at 9:13 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> >
> >> Hi Tjerk,
> >>
> >> On Mon, Feb 3, 2014 at 8:55 AM, Tjerk Meesters <
> tjerk.meesters@gmail.com>wrote:
> >>
> >>> I think it would be good enough to have only uuid v4:
> >>>
> >>> function uuidv4()
> >>> {
> >>>     $data = openssl_random_pseudo_bytes(16); // or whatever
> >>>
> >>>     $data[6] = chr(ord($data[6]) & 0x0f | 0x40); // set version to 0010
> >>>     $data[8] = chr(ord($data[8]) & 0x3f | 0x80); // set bits 6-7 to 10
> >>>
> >>>     return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data),
> 4));
> >>> }
> >>>
> >>> It's really just a representation of random data, whereby 6 bits are
> used
> >>> for the actual format.
> >>>
> >>
> >> I agree.
> >> UUID v4 simply generate random ID and it is good for many purposes.
> >>
> >> My concern is portability. OpenSSL(or Mcrypt) is provided as module.
> >> Users tends not to use module functions whenever possible. To address
> >> this issue, OpenSSL could be a module compiled by default.
> >>
> >
> > You could simply choose between `php_win32_get_random_bytes()` (Windows)
> or
> > reading directly from `/dev/xrandom`. Ultimately you have to be prepared
> to
> > supplement the data (partially or fully) with calls to `php_rand()`.
>
> I cannot agree more, except for the php_rand part, we should avoid it.
> Both are more than enough for this purpose. As I wrote earlier, it is
> not necessary to have crypto safe RNGs for uuid generations,
>

The RFC [1] states v4 is used with truly-random or pseudo-random number
generators; it would be up to us to decide whether LCG is pseudo-random
enough :)

The generated values should be hard to guess, which typically means LCG
would not be suitable. The function (if implemented) could issue a warning
or notice if a preferred RNG could not be used, even though
`password_hash()` doesn't do this in the same scenario.

[1] http://tools.ietf.org/html/rfc4122#section-4.4

--001a1133a1c051812e04f17bb54d--