how to use the randomlib

[terungwa]

I am having trouble implementing   Anthony Ferrara's RandomLib library in my custom php  application.

Here's  my code:

 require_once 'RandomLib/Factory.php';
    $factory = new \RandomLib\Factory;
    $generator = $factory->getMediumStrengthGenerator();
    return $generator->generate(16);

Unfortunately, I'm getting the following error:

Fatal error: Class 'SecurityLib\AbstractFactory' not found in C:\wamp\www\RandomLib-master\RandomLib-master\lib\RandomLib\Factory.php on line 30

How do i implement this library?

 

Thanks

Edited September 9, 2014 by terungwa

[Jacques1]

You need an autoloader (see test/bootstrap.php for an example) and the SecurityLib library. You can use Composer to handle that automatically.

 

But why do you even want this library? There are much easier (and I'd say: more reliable) ways to get random bytes. You can directly access the random number generator of your operating system with mcrypt_create_iv() or openssl_random_pseudo_bytes(). No need for a big third-party library.

[terungwa]

You need an autoloader (see test/bootstrap.php for an example) and the SecurityLib library. You can use Composer to handle that automatically.

 

But why do you even want this library? There are much easier (and I'd say: more reliable) ways to get random bytes. You can directly access the random number generator of your operating system with mcrypt_create_iv() or openssl_random_pseudo_bytes(). No need for a big third-party library.

 

Hi Jacques1,

I needed to generate random number/string for use in creating One-Time Use URLs for password reset tokens, CSRF tokens and registeration activation tokens.

To ensure unpredictability (random) and a low chance of duplication (collision), I was using this code below:

$token = sha1(uniqid($username, true));

I read here (http://phpsecurity.readthedocs.org/en/latest/Insufficient-Entropy-For-Random-Values.html) that the code above had vulnerabilities and the Anthony Ferrara RandomLib library on Github was recommended, hence my choice.

 

Do you think this openssl_random_pseudo_bytes code below is good to generate random string for the purposes I mentioned above?

function random($len) {
    $bytes = openssl_random_pseudo_bytes($len);
    $hex   = bin2hex($bytes);
    return $hex;
}

Thanks.

Edited September 10, 2014 by terungwa

[Jacques1]

The OpenSSL function is exactly what the library uses internally.

 

All good random number generators eventually use the randomness device of your operating system (like /dev/urandom), so the source is always the same. The difference is that openssl_random_pseudo_bytes() is a simple function, wheareas RandomLib is a big fat library with some extra features (like mixing multiple sources). Unless you have a specific reason for why you need the extra features of the library, just go with the simple function.

 

In fact, the PHP security tutorial you're reading specifically says that the library is only needed as a fallback in case neither the OpenSSL extension nor the Mcrypt extension are available. You do have the OpenSSL extension, so no need for the fallback.