Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83900
Return-Path: <leight@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 20175 invoked from network); 26 Feb 2015 15:50:45 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Feb 2015 15:50:45 -0000
Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.181 as permitted sender)
X-PHP-List-Original-Sender: leight@gmail.com
X-Host-Fingerprint: 209.85.220.181 mail-vc0-f181.google.com  
Received: from [209.85.220.181] ([209.85.220.181:34082] helo=mail-vc0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 58/04-32582-4D04FE45 for <internals@lists.php.net>; Thu, 26 Feb 2015 10:50:45 -0500
Received: by mail-vc0-f181.google.com with SMTP id im6so4214594vcb.12
        for <internals@lists.php.net>; Thu, 26 Feb 2015 07:50:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=JApUxqR0LzKB1jqswfzi7YyyCp1vbaz7TZwhVhgcpCM=;
        b=JOW3+Hcfv0wteQmQ+CcaogpQaslOV6FXr0AyaCATe2iuhi7kRJyLE6+hcSa2iKFejp
         Hzi3dqkoEVm1HGL5OyDS0N1ta0XnvKAqxOBhUtYTXH9MPUtKUlgDh6zLEUkgeBQghZYA
         8oO/mX/jB1Vk4+ScW3EvTBjueuMRL/xqr38xzAX6UVWAJ5Nf0KvrGXSVG3xa18fG3e35
         zI54I7AcPPqg8ycNv6TZSH3WC5UTGFiUpmGR9PnpY+GbOc18vSKcyNgrnDz2jJZuU3gV
         sW5OVAc043rDvZzXXn7AX91BxSoHW3/8q6RsUo608WYa9Kfo0+d3vUoYa9kzx89/pbSo
         cy9Q==
MIME-Version: 1.0
X-Received: by 10.53.11.76 with SMTP id eg12mr9179432vdd.68.1424965841355;
 Thu, 26 Feb 2015 07:50:41 -0800 (PST)
Received: by 10.52.177.10 with HTTP; Thu, 26 Feb 2015 07:50:41 -0800 (PST)
In-Reply-To: <D1149DA2.5DE3C%fsb@thefsb.org>
References: <D1138D6D.5DCE0%fsb@thefsb.org>
	<CAPwsocFtOnB_9uEJUXF-JLhrx0umeW7pKM_mYKRG2eBOM6oYwQ@mail.gmail.com>
	<CAEZPtU4Z9pSKydr-gH43nvDwtGfLTQv_RArqVk2SQg2qLoYZ2A@mail.gmail.com>
	<CAEZPtU7V_DKvrSAJZZA=OaktXpuPsGCuAzggobvSS63VUxbDTA@mail.gmail.com>
	<CALYT1Yp_szH_M=4ufwVXAng9iuva8rahqazjjZX+Br717k0urg@mail.gmail.com>
	<D1149DA2.5DE3C%fsb@thefsb.org>
Date: Thu, 26 Feb 2015 15:50:41 +0000
Message-ID: <CAPwsocFhtiqE2S+3XtesnkyyiRGgtTek7_SBU3dw59kGr45nkw@mail.gmail.com>
To: Tom Worster <fsb@thefsb.org>
Cc: Sammy Kaye Powers <me@sammyk.me>, php-internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC] [DISCUSSION] Reliable user-land CSPRNG
From: leight@gmail.com (Leigh)

On 26 February 2015 at 15:04, Tom Worster <fsb@thefsb.org> wrote:
>>I actually started down this RFC path out of frustration on this very
>>point of needing secure random alphanumeric stings. The originally RFC &
>>patch contained a `random_hex()` function that would convert bytes from
>>the CSPRNG into hex.
>
> bin2hex(random_bytes(8)) is so easy i don't think a new shorthand
> function is worth it.

I can't help but notice the output of this is 16 bytes.

Please, please tell me that you don't use the output of
bin2hex(random_bytes(8)) for a key or IV. This is so dangerous and I'm
actually worried about how many people actually do this.

Apologies if this is just a coincidence, but for the benefit of
_anyone_ reading this, never ever ever (ever!), use an encoded value
for a key or IV. Not hex, not base64, not anything exotic you've
dreamed up to make things "more random". If you know a project doing
this, spread the word, this is something that needs to be fixed
through education.