Re: Extending uniqid() or not?

From:	Tjerk Meesters	Date:	Mon, 03 Feb 2014 07:45:32 +0000
Subject:	Re: Extending uniqid() or not?
References:	1 2 3 4 5 6 7	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On Mon, Feb 3, 2014 at 2:25 PM, Pierre Joye <[email protected]> wrote:

> On Mon, Feb 3, 2014 at 5:59 AM, Tjerk Meesters <[email protected]>
> wrote:
> > On Mon, Feb 3, 2014 at 9:13 AM, Yasuo Ohgaki <[email protected]> wrote:
> >
> >> Hi Tjerk,
> >>
> >> On Mon, Feb 3, 2014 at 8:55 AM, Tjerk Meesters <
> [email protected]>wrote:
> >>
> >>> I think it would be good enough to have only uuid v4:
> >>>
> >>> function uuidv4()
> >>> {
> >>>     $data = openssl_random_pseudo_bytes(16); // or whatever
> >>>
> >>>     $data[6] = chr(ord($data[6]) & 0x0f | 0x40); // set version to 0010
> >>>     $data[8] = chr(ord($data[8]) & 0x3f | 0x80); // set bits 6-7 to 10
> >>>
> >>>     return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data),
> 4));
> >>> }
> >>>
> >>> It's really just a representation of random data, whereby 6 bits are
> used
> >>> for the actual format.
> >>>
> >>
> >> I agree.
> >> UUID v4 simply generate random ID and it is good for many purposes.
> >>
> >> My concern is portability. OpenSSL(or Mcrypt) is provided as module.
> >> Users tends not to use module functions whenever possible. To address
> >> this issue, OpenSSL could be a module compiled by default.
> >>
> >
> > You could simply choose between php_win32_get_random_bytes() (Windows)
> or
> > reading directly from /dev/xrandom. Ultimately you have to be prepared
> to
> > supplement the data (partially or fully) with calls to php_rand().
>
> I cannot agree more, except for the php_rand part, we should avoid it.
> Both are more than enough for this purpose. As I wrote earlier, it is
> not necessary to have crypto safe RNGs for uuid generations,
>

The RFC [1] states v4 is used with truly-random or pseudo-random number
generators; it would be up to us to decide whether LCG is pseudo-random
enough :)

The generated values should be hard to guess, which typically means LCG
would not be suitable. The function (if implemented) could issue a warning
or notice if a preferred RNG could not be used, even though
password_hash() doesn't do this in the same scenario.

[1] http://tools.ietf.org/html/rfc4122#section-4.4


   

Thread (29 messages)

• Yasuo OhgakiSun, 02 Feb 2014 04:32:21 +0000
  • Martin JansenSun, 02 Feb 2014 07:35:46 +0000
    • Yasuo OhgakiSun, 02 Feb 2014 10:12:01 +0000
      • Pierre JoyeSun, 02 Feb 2014 10:27:27 +0000
      • Tjerk MeestersSun, 02 Feb 2014 23:55:04 +0000
        • Yasuo OhgakiMon, 03 Feb 2014 01:13:45 +0000
          • Yasuo OhgakiMon, 03 Feb 2014 01:33:48 +0000
          • Tjerk MeestersMon, 03 Feb 2014 04:59:12 +0000
            • Yasuo OhgakiMon, 03 Feb 2014 05:08:24 +0000
            • Pierre JoyeMon, 03 Feb 2014 06:25:20 +0000
              • Yasuo OhgakiMon, 03 Feb 2014 07:20:27 +0000
              • Tjerk MeestersMon, 03 Feb 2014 07:45:32 +0000
                • Pierre JoyeMon, 03 Feb 2014 08:00:15 +0000
  • Stas MalyshevSun, 02 Feb 2014 10:33:00 +0000
    • Yasuo OhgakiSun, 02 Feb 2014 22:08:45 +0000
      • Arvids GodjuksSun, 02 Feb 2014 22:41:14 +0000
        • Yasuo OhgakiSun, 02 Feb 2014 22:51:03 +0000
      • Yasuo OhgakiSun, 02 Feb 2014 22:46:03 +0000
        • Yasuo OhgakiMon, 03 Feb 2014 01:26:17 +0000
      • Pierre JoyeSun, 02 Feb 2014 22:59:09 +0000
      • Stas MalyshevSun, 02 Feb 2014 23:02:29 +0000
        • Yasuo OhgakiSun, 02 Feb 2014 23:07:09 +0000
          • Stas MalyshevSun, 02 Feb 2014 23:33:14 +0000
  • Lester CaineSun, 02 Feb 2014 13:14:08 +0000
  • Derick RethansMon, 03 Feb 2014 10:08:19 +0000
    • Yasuo OhgakiMon, 03 Feb 2014 21:25:38 +0000
  • Pádraic BradyMon, 03 Feb 2014 11:48:52 +0000
• Andrey AndreevMon, 03 Feb 2014 08:13:26 +0000Re: Extending uniqid() or not?
  • Stas MalyshevMon, 03 Feb 2014 08:18:49 +0000