1

I want to know if my barcode sequence method is sufficiently random and secure. I am currently using a barcode format as follows:

{base36 encoded sequential id}-{4 random numeric characters}

ex.:
2v05-9187
2v06-3607
2v07-1810

I want to switch to all numeric to allow easier keypad entry in the event of unreadable ticket:

34508-4821
34509-9615

It's pretty obvious what's going on here to hackers but it's reasonably secure(?)

I've looked into one-way hash likecrc32 but it produces variable length, longer numbers

echo hexdec(crc32("1000-secret"));
echo '<br>';
echo hexdec(crc32("1001-secret"));

//output:

1076135781
225104646983
Banditvibe
  • 337
  • 3
  • 14
  • You can have something that's easy to type, or something that's secure. Pick one. – Alex Howansky Jun 20 '17 at 14:21
  • Well no, neither are fully random because they contain a short sequential number. What is the implication of me working out 34509 from 34508? or seeing a 5 digit number and entering another? For simple obfuscation see [this](https://stackoverflow.com/questions/8554286/obfuscating-an-id) for something more secure you need a longer value. The best approach to this is to ensure a permission set prevents a valid ID being used by someone who does not have permission to do so. – Alex K. Jun 20 '17 at 14:22
  • Not fully random, just adding some randomness. The implication of working out 34509 from 34508? Not much because you'd still have to print out 10000 tickets starting with 34509-{4 numeric chars, 10k possibilities} to be have a valid ticket somewhere. I guess when someone sees incrementing, he might think he's on to something whereas a fully random id (no visible sequence) looks better and is more secure in the sense that printing out tickets in the hope of getting a valid one is futile. – Banditvibe Jun 20 '17 at 15:53
  • @Alex I tried the shuffle bits method from the link you provided, and it works well, but I have to get more up to speed on bitwise to understand the relationship between the mask1 and mask2 and d1 and d2 – Banditvibe Jun 21 '17 at 14:04

1 Answers1

0

If you just want 4 random numbers your approach will work, just take the first four from your output:

echo substr(hexdec(crc32("1001-secret")), 0, 4);

With only four numbers you're going to be between 0000-9999, which is 10,000 different options. If this is enough randomity for you you're all set.

Mike Mannakee
  • 361
  • 1
  • 5