All About The Blowfish CSPRNG
Security... A laughable matter? I say no. When it comes to security there are so many complicated approaches many developers take, however, I propose to you that security is only as hard as you make it. If you are reading this your code stack is probably primarily comprised of PHP. You may be self-taught (as I am), you could have taken online courses, or maybe you learned at University. Whatever your background, you either make secure applications or you don't. It's truly as simple as that! We as developers owe it to our users and clients to code with SAAS (Security as a Standard). Make your applications secure by default and then you don't have to do a bunch of housekeeping when you start accepting user input. Simply put, your approach to security will make or break your application. I recommend this curated list as a great place to learn high quality concepts about application security.
Enough of the rant about security, here's how the CSPRNG (Cryptographically Secure Pseudo Random Number Generator) works. I use the random_int()
(man page) function to generate cryptographically secure pseudo random strings. It's character choices are: 0-9, a-z, A-Z, and all symbols excluding backslash (\) single (') and double quotes (") (for code compatibility reasons). This randomness is sourced from none other than /dev/urandom
! Before you start to use this method, you must understand some things: what a seed is, what entropy is, and understand the security risks. Basically, you need make sure that enough entropy has been gained since boot to properly seed the CSPRNG. This means that the only time when /dev/urandom
could imply a security risk is due to low entropy (essentially random data) during the first moments of a fresh, automated OS install. If the machine has booted up to a point where it begins having some network activity then it has gathered enough physical randomness to provide pseudo randomness of high enough quality for all practical purposes.
Credit where credit is due.
A big thank you to some very smart people @ StackExchange for their help!
https://security.stackexchange.com/q/3936/193468
Specifically @Thomas Pornin's answer: https://security.stackexchange.com/a/3939/193468
A special thanks to Paragon Initiative's own Scott Arciszewski for the basis of my CSPRNG!