Generating secure cross site request forgery tokens (csrf)

If it's 100% deterministic for the server (has no random per-session data), then it's 100% deterministic for the client. And that means it's 100% deterministic for an attacker as well. Which basically means that the protection is useless at stopping CSRF style attacks...

Could you explain why hashing values that are relatively easy to figure out is better than a pseudo random number generator?

In ZF2 we used a chain of tests for random generation: 1) if OpenSSL is installed we used the openssl_random_pseudo_bytes(); 2) if Mcrypt is installed we used mcrypt_create_iv($length, MCRYPT_DEV_URANDOM); that uses '/dev/urandom' source. 3) mt_rand() as a fallback, but only for not cryptographic purpose. More details here: https://github.com/zendframework/zf2/blob/master/library/Zend/Math/Rand.php#L25

The OWASP version relies on two options as a token: A. The SHA512 hash of mt_rand(). The MD5 hashes of all outputs from mt_rand() are online. SHA256 hashes can be brute forced at some incredible speeds on a GPU making it fairly pointless for minimal entropy inputs - it's only a number between 0 and 2^31 (mt_getrandmax()). SHA512 is much much slower that SHA256 but I can't help wonder if it's so slow as to take TOO long running only 2.147B comparisons - most hashing tools have GPU support these days and the last GPU generation were marvellous for this task. It wouldn't surprise me if it took

I just sent an email to the author of PHP_CSRF_Guard suggesting to use openssl_random_pseudo_bytes() instead of mt_rand(). I agree with @padraicb, the random number provided by OpenSSL is enough for a CSRF token, you can just use it without an hash function.

By the way @pmjones they are using a hashing algorithm ( $token=hash("sha512",mt_rand(0,mt_getrandmax())); ) and in the top it mentions the code is not verified by OWASP experts.

When using cryptographically strong random bytes, you don't have to worry about possible edge cases and attack vectors etc. that may appear when using weak randomness. Ie. when the system is under an active attack. I'd make sure CSRF tokens are also generated using strong randomness (it is easy to make sure the system do not get vulnerable, in any situation (edge cases included), because of weak randomness). If strong randomness is not available, just exit with an error. About "deplete the entropy available", this is actually not the case with /dev/urandom and alike. System random number generators (like /dev/urandom) do not run out of entropy. Urandom _might_ be low on entropy immediately after a fresh OS install, but this is insignificant when talking about web apps.

Cryptos (κρυπτός) and graphein (γράφειν) just means "secret writing". When we're generating a token what we want to do is give a secret to the person on the web page that will be extremely difficult to predict. The examples that I've found tend to rely on uniqid() which is based off of the time and, thus, predictable. So when you're thinking about cryptography you are probably thinking about the actual act of encryption, which is not what we're talking about. We are using the tool from one of the first steps in the chain for creating an "unpredictable" value. The 32 bytes (256 bits) of data give us 1.1579208923731619542357098500869e+77 values, which is a pretty big set of values for you to use and so I doubt that you would deplete entropy. However, mt_rand() returns an integer, not a series of bytes. That means that you have only 4 billion or so numbers to choose from. Compared to that other huge number, I would choose the latter.

I too think the same for it is just a form token. Is the cryptography really needed. May be to that sort of systems, but not to all I guess.

The problem with uniqid(mt_rand(), true); is related with mt_rand() that is not cryptographically secure. A more secure way to generate a random token is to use md5(openssl_random_pseudo_bytes(32)); or hash($algo, openssl_random_pseudo_bytes(128)); where $algo is sha-*. If you don't have the OpenSSL extension enabled you can use the mcrypt_create_iv($length, MCRYPT_DEV_URANDOM); where $length is the size of the random bytes. We implemented a random generator in ZF2 based on this considerations: https://github.com/zendframework/zf2/blob/master/library/Zend/Math/Rand.php#L25

It uses that as an example for generating a token, but that page also specifically states that it is based off of microtime. Because of that the value would be predictable.

I'd like to add (as I posted to pmjones' blog) that it is a bit misleading to say that openssl_random_pseudo_bytes() is “better” (security-wise speaking) than any other method that relies on /dev/urandom (or the Windows equivalence on Windows). Reading straight from /dev/urandom, or fetching bytes some other way (which uses /dev/urandom) are all practically equal. Care should be taken to make sure to avoid those quirks when fetching random bytes. For example, openssl_random_pseudo_bytes() blocking on certain versions, /dev/uradom not available on Windows and security issues with mcrypt_create_iv() (using DEV_URANDOM) on certain versions on Windows.

Thanks. That's a good point. In other words, using md5() or sha512 is not as important as getting the actual random bits. The hashing, itself, is really only there to make sure that the bits that come out do not break the format. One could almost say that when using openssl_random_pseudo_bytes() you could use md5(), hash_hmac() or base64_encode() without a loss of security, something that would not be possible to say about uniqid().