Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83894 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 5655 invoked from network); 26 Feb 2015 15:05:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Feb 2015 15:05:07 -0000 Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 67.192.241.139 as permitted sender) X-PHP-List-Original-Sender: fsb@thefsb.org X-Host-Fingerprint: 67.192.241.139 smtp139.dfw.emailsrvr.com Linux 2.6 Received: from [67.192.241.139] ([67.192.241.139:50802] helo=smtp139.dfw.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A6/F0-32582-1263FE45 for ; Thu, 26 Feb 2015 10:05:05 -0500 Received: from smtp30.relay.dfw1a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp30.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 63A7C1801C5; Thu, 26 Feb 2015 10:05:02 -0500 (EST) Received: by smtp30.relay.dfw1a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id 956B618014D; Thu, 26 Feb 2015 10:04:59 -0500 (EST) X-Sender-Id: fsb@thefsb.org Received: from [10.0.1.2] ([UNAVAILABLE]. [73.4.147.142]) (using TLSv1 with cipher DES-CBC3-SHA) by 0.0.0.0:465 (trex/5.4.2); Thu, 26 Feb 2015 15:05:02 GMT User-Agent: Microsoft-MacOutlook/14.4.8.150116 Date: Thu, 26 Feb 2015 10:04:55 -0500 To: Sammy Kaye Powers CC: php-internals Message-ID: Thread-Topic: [PHP-DEV] [RFC] [DISCUSSION] Reliable user-land CSPRNG References: In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: 7bit Subject: Re: [PHP-DEV] [RFC] [DISCUSSION] Reliable user-land CSPRNG From: fsb@thefsb.org (Tom Worster) On 2/26/15, 12:59 AM, "Sammy Kaye Powers" wrote: >I don't know why everyone says the internals list is so scary - you guys >are great! :) Clearly php-internals participants are all very fine people. I am nevertheless scared brickless of php-internals, which is not the same thing;) >I actually started down this RFC path out of frustration on this very >point of needing secure random alphanumeric stings. The originally RFC & >patch contained a `random_hex()` function that would convert bytes from >the CSPRNG into hex. bin2hex(random_bytes(8)) is so easy i don't think a new shorthand function is worth it. >The use case that I have seen most needed in user-land is in fact for >random alphanumeric strings so that they can generate CSRF tokens. Every >CRUD app could be affected by this. So I'm still +1 for having a built-in >function to get back arbitrary alphanumeric strings. But this can be done >with `bin2hex(random_bytes(16))` or `base64_encode(random_bytes(16))` so >I won't fight it too much. :) Using a 64-character alphabet is a bit more involved and is needed so often that we put it in Yii2's security class. base64 actually uses 65 characters, 3 of which aren't transparent to URL encoding.