Pseudo-random generation of crypto-resistant passwords without using rand ()
For some reason, I wanted to make my own implementation of a secure password generator for my own needs. The script was written for your small PHP project using the mcrypt library. The principle of operation seemed to me interesting, so I decided to share this code.
')
Performance characteristics of implementation:
- character range: Aa — Zz and 0—9
- maximum password length: 300 characters
- rand () is not used
- passwords are generated through the symmetric block algorithm Serpent-256 in the mode of coupling blocks (CBC-mode)
with a secret varying initial vector, secret key and a long secret block of random characters
- to change the vector is used SHA256
- 3 files: generator.php, counter.txt, iv.txt
- there is a counter for beauty
Two functions:
make_password(int length); // , 22 = 128 bit
print_password(int length); //Pseudocode: base64 (serpent (key, iv, plaintext, cbc))
This is how the password is done, the most important part of the process.
(How does the initial vector and everything else change
Please see the php code.
There are comments in the code in interesting places.)
The full code of the generator contains html-tags:
http://www.copypastecode.com/8660/
Generator.php produces just such a table for quickly copying passwords.
All this works for me on the server through an encrypted SSL channel, so that passwords are visible only to me.
I will not give the link - I'm a greedy paranoid, still hack me and take the traffic.
If you want to use this code, change all the values (key, vector, text, and of the counter). My vector and counter are stored in files, you can store your data in databases (for example, MySQL) or anywhere else. It's good to generate passwords on a local machine or through a secure channel. To put this code in open access through a simple http, in my opinion, is extremely stupid.
Thank you cool habramenu lyxsus for an invite.
Source: https://habr.com/ru/post/66833/
All Articles