Reputation: 3710
Generate a single use token in PHP: random_bytes or openssl_random_pseudo_bytes?
I need to generate a single-use token in PHP. There are two functions available that I can use for this that seem to do the same thing: random_bytes and openssl_random_pseudo_bytes. For example, using random_bytes:
var_dump(bin2hex(random_bytes(12)));
--> string(24) "338f489ec37a2c2b4943905d"
and using openssl_random_pseudo_bytes:
var_dump(bin2hex(openssl_random_pseudo_bytes(12)));
--> string(24) "1c7febea20029bd524fba8e7"
openssl_random_pseudo_bytes is PHP 5.3 and up (so I assume it's been around longer), and random_bytes is PHP 7. I'm using PHP 7 so I can use either.
So is there any major (or minor for that matter) difference between the two? If not, I'm tempted to go with random_bytes simply because it has an easier name ( = code that's easier to read).
Upvotes: 34
Views: 34078
Answers (3)
Reputation: 79
Just to update, the cryptographic insecurity in openssl_random_pseudo_bytes was fixed in 2016. More details here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8867
It usese RAND_bytes now, which OpenSSL recommends in its wiki:
https://wiki.openssl.org/index.php/Random_Numbers#FIPS_Mode
Upvotes: 5
Reputation: 522382
openssl_random_pseudo_bytes is part of the OpenSSL extension, which must be explicitly configured and included in the PHP compilation process and requires external dependencies.
random_bytes is new in PHP 7 as the native always-available PHP method to generate random bytes, which chooses its internal source of randomness depending on the platform it's on.
The main reason for introducing random_bytes was that generating pseudo-random data was always a bit of a headache in PHP, requiring developers to be platform-aware and possibly using several different fallback methods depending on which extensions or system-level functions are available. This often led to bugs in individual implementations, which is particularly concerning in security-relevant code. random_bytes simplifies this by providing one function which is always available and uses the best possible source of randomness available. If you can target PHP 7+ exclusively, it should be your go-to method.
Upvotes: 42
Reputation: 809
According to php manual
random_bytes : Generates cryptographically secure pseudo-random bytes openssl_random_pseudo_bytes : Generate a pseudo-random string of bytes
so main difference is the cryptographically secure
The openssl_random_pseudo_bytes() PHP function calls the RAND_psuedo_bytes() OpenSSL function, which the OpenSSL docs say should only be used for non-cryptographic purposes:
https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php
Upvotes: 2
Related Questions
- Generating cryptographically secure tokens
- should i use urandom or openssl_random_pseudo_bytes?
- What is the best way to generate a random key within PHP?
- PHP 7 OAuthProvider VS random_bytes token generation
- replace rand() with openssl_random_pseudo_bytes()
- Alternative for openssl_random_pseudo_bytes - generate secured unique tokens
- Is openssl_random_pseudo_bytes truly random?
- PHP: openssl_random_pseudo_bytes() and Crypto Security vs Extreme Randomness
- openssl random pseudo bytes - repeatable?
- How can I generate a large random token using PHP