Sep 062007
Maxim Chernyak posted an article on his blog about creating an authentication token using PHP. I wouldn’t recommend using this method to do that though. Even if the pattern looks quite complex, a computer will figure out the pattern using a hand full of valid keys. It’s very difficult to come up with an algorithm which is difficult to hack.
If you can keep information from the user, which Maxims article assumes as well, you can use MD5 to generate keys. Simply add a string you keep secret to each key.
1 2 3 4 5 6 7 | define('SECRET', "s3cr3t"); # don't actually use this value function make_token() { $str = ""; for ($i=0; $i<8; $i++) $str = rand_alphanumeric(); return $str . md5($str . SECRET); } |
define('SECRET', "s3cr3t"); # don't actually use this value
function make_token() {
$str = "";
for ($i=0; $i<8; $i++) $str = rand_alphanumeric();
return $str . md5($str . SECRET);
}If you want a shorter key (16 chars), you may use:
1 2 3 4 5 6 7 8 9 | define('SECRET', "s3cr3t"); # don't actually use this value function make_token() { $str = ""; for ($i=0; $i<7; $i++) $str .= rand_alphanumeric(); $pos = rand(0, 24); $str .= chr(65 + $pos); return $str . substr(md5($str . SECRET), $pos, 8); } |
define('SECRET', "s3cr3t"); # don't actually use this value
function make_token() {
$str = "";
for ($i=0; $i<7; $i++) $str .= rand_alphanumeric();
$pos = rand(0, 24);
$str .= chr(65 + $pos);
return $str . substr(md5($str . SECRET), $pos, 8);
}Do note that a shorter key is less secure.
To validate you would do:
1 2 3 4 | function validate_token($str) { $rs = substr($str, 0, 8); return $str == $rs . substr(md5($rs . SECRET), ord($str[7])-65, 8); } |
function validate_token($str) {
$rs = substr($str, 0, 8);
return $str == $rs . substr(md5($rs . SECRET), ord($str[7])-65, 8);
}This code is not tested and may contain bugs
A secure token grid authentication PHP class
Hello,
I finally decided to clean and distribute to the community a token grid class in PHP. You can have a look on it on the PHPclasses.org repository, licensed in LGPL.
You can produce a credit card sized printed token grid for each customer, and then each time they want to log in, we ask (in addition to the username and the password) the token at a specific position.
Each token (by default 10×10 on one card) are calculated using an application id, a user id and the position in the grid. The token generation is based on a md5 of the parameters (you can have a look in the source code)
Best regards, have a nice week-end.
Any feedback welcome!
André
PHP Fatal error: Call to undefined function rand_alphanumeric()
FAIL.
Pmb: You didn’t copy the code from Maxim Chernyak.
pmb – “PHP Fatal error: Call to undefined function rand_alphanumeric()
FAIL.”
its from maxims example.
rand_alphanumeric is not a PHP function, it’s a custom function:
// return random alphanumeric char
function rand_alphanumeric() {
$subsets[0] = array('min' => 48, 'max' => 57); // ascii digits
$subsets[1] = array('min' => 65, 'max' => 90); // ascii lowercase English letters
$subsets[2] = array('min' => 97, 'max' => 122); // ascii uppercase English letters
// random choice between lowercase, uppercase, and digits
$s = rand(0, 2);
$ascii_code = rand($subsets[$s]['min'], $subsets[$s]['max']);
return chr( $ascii_code );
}
So if this is in a class you will probably want to call it with something like $this->rand_alphanumeric().
@pmb:
FAIL.