Menu
I want to generate cryptographically secure unique uuids using php.
uniqid() provides unique but not secure ids and openssl_random_pseudo_bytes() provides secure but not unique ids. Is the combination of the two(following code) a proper approach or is there a better solution?
uniqid(bin2hex(openssl_random_pseudo_bytes(10)), true);
484
Don't rely on UUIDs for security. The standard itself warns implementors to “not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access, for example).”
They're globally unique, so the chances of encountering a duplicate ID even in external data are very, very small. They can be generated without the need to check against a central node, so in a distributed system, each node can generate UUIDs autonomously without fear of duplication or consistency issues.
UUIDs are generally used for identifying information that needs to be unique within a system or network thereof. Their uniqueness and low probability in being repeated makes them useful for being associative keys in databases and identifiers for physical hardware within an organization.
I want to generate cryptographically secure unique uuids using php.
Okay, that's easily done.
uniqid() provides unique but not secure ids and openssl_random_pseudo_bytes() provides secure but not unique ids.
What makes you think a cryptographically secure pseudorandom number isn't unique?
/**
* Return a UUID (version 4) using random bytes
* Note that version 4 follows the format:
* xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx
* where y is one of: [8, 9, A, B]
*
* We use (random_bytes(1) & 0x0F) | 0x40 to force
* the first character of hex value to always be 4
* in the appropriate position.
*
* For 4: http://3v4l.org/q2JN9
* For Y: http://3v4l.org/EsGSU
* For the whole shebang: https://3v4l.org/LNgJb
*
* @ref https://stackoverflow.com/a/31460273/2224584
* @ref https://paragonie.com/b/JvICXzh_jhLyt4y3
*
* @return string
*/
function uuidv4()
{
return implode('-', [
bin2hex(random_bytes(4)),
bin2hex(random_bytes(2)),
bin2hex(chr((ord(random_bytes(1)) & 0x0F) | 0x40)) . bin2hex(random_bytes(1)),
bin2hex(chr((ord(random_bytes(1)) & 0x3F) | 0x80)) . bin2hex(random_bytes(1)),
bin2hex(random_bytes(6))
]);
}
The above example conforms to the UUIDv4 specification and uses PHP7's random_bytes() function.
For PHP 5 projects, you can use random_compat to polyfill random_bytes() from PHP 7.
145
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
