SitePoint Sponsor

User Tag List

Results 1 to 16 of 16
  1. #1
    SitePoint Addict lundberg's Avatar
    Join Date
    Mar 2003
    Location
    Sweden
    Posts
    370
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Generate unique activation keys

    Hello everyone,

    What is the best way to generate unique activation keys that look like xxxx-xxxx-xxxx-xxxx where x is a hexdecimal number so for example 53e1-fbaf-4230-6c7a. I thought I could use mile md5 but it produces a longer value and then I have to trim it down which feels like it increases the risk of simular values.

    -Martin

    Martin Lundberg
    Sweden

  2. #2
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,527
    Mentioned
    84 Post(s)
    Tagged
    4 Thread(s)
    Marius Karthaus has created a class that returns
    A UUID, made up of 32 hex digits and 4 hyphens
    http://php.net/manual/en/function.uniqid.php#88400
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  3. #3
    SitePoint Enthusiast
    Join Date
    Jan 2010
    Location
    Sara System.
    Posts
    28
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    <?php

    function random($length$chars '')
    {
        if (!
    $chars) {
            
    $chars implode(range('a','f'));
            
    $chars .= implode(range('0','9'));
        }
        
    $shuffled str_shuffle($chars);
        return 
    substr($shuffled0$length);
    }
    function 
    serialkey()
    {
        return 
    random(4).'-'.random(4).'-'.random(4).'-'.random(4);
    }

    echo 
    serialkey();

    ?>
    Last edited by BooBooGotU; Jan 27, 2010 at 05:15. Reason: a-z >> a-f

  4. #4
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,527
    Mentioned
    84 Post(s)
    Tagged
    4 Thread(s)
    Thanks BooBooGotU but there's a boo-boo in your code.

    The request is for hexadecimal values, not alphabetic ones, and there are serious entropy problems with your solution.

    You can contact the people in GRC's Cryptography forum if you would like to learn more about this.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  5. #5
    SitePoint Wizard
    Join Date
    Nov 2005
    Posts
    1,191
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I believe 0-9 and a-f is hex (oh I see edited). Can you explain more about the entropy please?

  6. #6
    SitePoint Enthusiast
    Join Date
    Jan 2010
    Location
    Sara System.
    Posts
    28
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Boo-boo fixed. Thanks.

    lundberg: are you keeping these keys in some place like a database? If so, add unique key on column and this will prevent any repeating values being generated. If that is your main concern, as I read in your post, then this solution provides you with 100&#37; uniqueness.

    How many of these keys are going to generate? 1000? 10 thousands? million? or maybe billion? If it's no too many, then I don't think there is a need to search for some really advanced solution, str_shuffle works fine.

  7. #7
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,527
    Mentioned
    84 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by hash View Post
    I believe 0-9 and a-f is hex (oh I see edited). Can you explain more about the entropy please?
    It is truly difficult for computers generate a true randomness. The less of a pattern that can be discerned, more entropy it contains.

    Computer cryptography experts have become well versed with increasing the entropy of their encryptions. Steve Gibson for example has, in conjunction with feedback from the cryptography community, created a way to generate ultra-high security passwords that uses
    Rijndael (AES) block encryption of never-repeating counter values in CBC mode
    Despite the quote, the page make for a very good read.

    Then for more fun there are Perfect Paper Passwords
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  8. #8
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by pmw57 View Post
    It is truly difficult for computers generate a true randomness. The less of a pattern that can be discerned, more entropy it contains......
    Is that not a little overboard for something that does not need to be cryptography secure?

    I personally would forget about using some special format and just do:
    Code:
    code = hash( username + date( ISO8601 ) )
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  9. #9
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,527
    Mentioned
    84 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by logic_earth View Post
    Is that not a little overboard for something that does not need to be cryptography secure?
    Perhaps a little, but these are supposed to be for unique activation keys, so introducing weaknesses in the keys is best to be avoided.

    If we're going the easy and mostly effective way, we could just use a couple of uniqid calls.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  10. #10
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,527
    Mentioned
    84 Post(s)
    Tagged
    4 Thread(s)
    Here is the script from PHP 5 in Practice for generating a unique 40-character identifer

    Code php:
    <?php
    // A function to return a unique identifier for the user's browser
    function create_unique() {
        // Read the user agent, IP address, current time, and a random number:
     
        $data = $_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR'] .
                time() . rand();
     
        // Return this value hashed via sha1
        return sha1($data);
    }
     
    // Echo out the hashed data - This will be different every time.
    $newhash = create_unique();
    echo "<pre>{$newhash}</pre>";
    ?>
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  11. #11
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    pmw57, very good points indeed, but maybe then add one more layer and use hash_hmac() instead or plain hash?


    Code php:
    <?php
    // A function to return a unique identifier for the user's browser
    function create_unique() {
        // Read the user agent, IP address, current time, and a random number:
     
        $data = $_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR'] .
                time() . rand();
        $secret_key = 'really secret sequence for this web-applications function only';//change t
        // Return this value HMAC with sha256
        return hash_hmac('sha256',$data,$secret_key);
    }
     
    // Echo out the hashed data - This will be different every time.
    $newhash = create_unique();
    echo "<pre>{$newhash}</pre>";
    ?>

  12. #12
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,527
    Mentioned
    84 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by Aleksejs View Post
    pmw57, very good points indeed, but maybe then add one more layer and use hash_hmac() instead or plain hash?
    Yep, if your hosting provider gives you access to it then HMAC is a more secure way to encrypt SHA1.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  13. #13
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    However, completely unnecessary to use HMAC....
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  14. #14
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ... and that is because... ?

  15. #15
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Aleksejs View Post
    ... and that is because... ?
    The value only needs to be unique, not secure.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  16. #16
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In that case, why not drop hashing at all and use a counter that increments as an activation key. 1,2,3 and so on.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •