Jump to content

how to use the randomlib


terungwa

Recommended Posts

I am having trouble implementing   Anthony Ferrara's RandomLib library in my custom php  application.

Here's  my code:

 require_once 'RandomLib/Factory.php';
    $factory = new \RandomLib\Factory;
    $generator = $factory->getMediumStrengthGenerator();
    return $generator->generate(16);

Unfortunately, I'm getting the following error:

Fatal error: Class 'SecurityLib\AbstractFactory' not found in C:\wamp\www\RandomLib-master\RandomLib-master\lib\RandomLib\Factory.php on line 30

How do i implement this library?

 

Thanks

Edited by terungwa
Link to comment
Share on other sites

You need an autoloader (see test/bootstrap.php for an example) and the SecurityLib library. You can use Composer to handle that automatically.

 

But why do you even want this library? There are much easier (and I'd say: more reliable) ways to get random bytes. You can directly access the random number generator of your operating system with mcrypt_create_iv() or openssl_random_pseudo_bytes(). No need for a big third-party library.

Link to comment
Share on other sites

You need an autoloader (see test/bootstrap.php for an example) and the SecurityLib library. You can use Composer to handle that automatically.

 

But why do you even want this library? There are much easier (and I'd say: more reliable) ways to get random bytes. You can directly access the random number generator of your operating system with mcrypt_create_iv() or openssl_random_pseudo_bytes(). No need for a big third-party library.

 

Hi Jacques1,

I needed to generate random number/string for use in creating One-Time Use URLs for password reset tokens, CSRF tokens and registeration activation tokens.

To ensure unpredictability (random) and a low chance of duplication (collision), I was using this code below:

$token = sha1(uniqid($username, true));

I read here (http://phpsecurity.readthedocs.org/en/latest/Insufficient-Entropy-For-Random-Values.html) that the code above had vulnerabilities and the Anthony Ferrara RandomLib library on Github was recommended, hence my choice.

 

Do you think this openssl_random_pseudo_bytes code below is good to generate random string for the purposes I mentioned above?

function random($len) {
    $bytes = openssl_random_pseudo_bytes($len);
    $hex   = bin2hex($bytes);
    return $hex;
}

Thanks.

Edited by terungwa
Link to comment
Share on other sites

The OpenSSL function is exactly what the library uses internally.

 

All good random number generators eventually use the randomness device of your operating system (like /dev/urandom), so the source is always the same. The difference is that openssl_random_pseudo_bytes() is a simple function, wheareas RandomLib is a big fat library with some extra features (like mixing multiple sources). Unless you have a specific reason for why you need the extra features of the library, just go with the simple function.

 

In fact, the PHP security tutorial you're reading specifically says that the library is only needed as a fallback in case neither the OpenSSL extension nor the Mcrypt extension are available. You do have the OpenSSL extension, so no need for the fallback.

  • Like 1
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.