md5（uniqid）对随机唯一标记有意义吗？

本文介绍了md5（uniqid）对随机唯一标记有意义吗？的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我想创建一个令牌生成器，生成用户无法猜出并且仍然唯一的令牌（用于密码重置和确认代码）。

  
 
 在web应用程序中，安全机密的一个很好的来源是非阻塞访问熵池，如 / dev / urandom 。从PHP 5.3开始，PHP应用程序可以使用 openssl_random_pseudo_bytes（），Openssl库将根据您的操作系统选择最佳的熵源，这意味着应用程序将使用的/ dev / urandom的。这个斯科特的代码片断很不错， a>：
 
 pre code $ function $ $ $ $ $ $ $ $ $ $ $ $ $ $ $; 
 if（$ range  $ log = log（$ range，2）; 
 $ bytes =（int）（$ log / 8）+ 1; //字节长度
 $ bits =（int）$ log + 1; //比特长度
 $ filter =（int）（1  do {
 $ rnd = hexdec（bin2hex（openssl_random_pseudo_bytes（$ bytes）））; 
 $ rnd = $ rnd& $过滤器; （$ rnd> = $ range）; //丢弃无关位
}; 
返回$ min + $ rnd; 
} 
 
函数getToken（$ length = 32）{
 $ token =; 
 $ codeAlphabet =ABCDEFGHIJKLMNOPQRSTUVWXYZ; 
 $ codeAlphabet。=abcdefghijklmnopqrstuvwxyz; 
 $ codeAlphabet。=0123456789; 
 for（$ i = 0; $ i <$ length; $ i ++）{
 $ token。= $ codeAlphabet [crypto_rand_secure（0，strlen（$ codeAlphabet））];; 
} 
返回$ token; 
}

I want to create a token generator that generates tokens that cannot be guessed by the user and that are still unique (to be used for password resets and confirmation codes).

I often see this code; does it make sense?

md5(uniqid(rand(), true));

According to a comment uniqid($prefix, $moreEntopy = true) yields

I don't know how the $prefix-parameter is handled..

So if you don't set the $moreEntopy flag to true, it gives a predictable outcome.

QUESTION: But if we use uniqid with $moreEntopy, what does hashing it with md5 buy us? Is it better than:

md5(mt_rand())

edit1: I will store this token in an database column with a unique index, so I will detect columns. Might be of interest/

解决方案

rand() is a security hazard and should never be used to generate a security token: rand() vs mt_rand() (Look at the "static" like images). But neither of these methods of generating random numbers is cryptographically secure. To generate secure secerts an application will needs to access a CSPRNG provided by the platform, operating system or hardware module.

In a web application a good source for secure secrets is non-blocking access to an entropy pool such as /dev/urandom. As of PHP 5.3, PHP applications can use openssl_random_pseudo_bytes(), and the Openssl library will choose the best entropy source based on your operating system, under Linux this means the application will use /dev/urandom. This code snip from Scott is pretty good:

function crypto_rand_secure($min, $max) {
        $range = $max - $min;
        if ($range < 0) return $min; // not so random...
        $log = log($range, 2);
        $bytes = (int) ($log / 8) + 1; // length in bytes
        $bits = (int) $log + 1; // length in bits
        $filter = (int) (1 << $bits) - 1; // set all lower bits to 1
        do {
            $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes)));
            $rnd = $rnd & $filter; // discard irrelevant bits
        } while ($rnd >= $range);
        return $min + $rnd;
}

function getToken($length=32){
    $token = "";
    $codeAlphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
    $codeAlphabet.= "abcdefghijklmnopqrstuvwxyz";
    $codeAlphabet.= "0123456789";
    for($i=0;$i<$length;$i++){
        $token .= $codeAlphabet[crypto_rand_secure(0,strlen($codeAlphabet))];
    }
    return $token;
}

这篇关于md5（uniqid）对随机唯一标记有意义吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！