I wan't to generate token to verify the email of users, I learn about universal hashing (selecting a hash function at random from a family of hash functions) and I wrote this code in PHP
Is it a secure method to generate token ?
$string ='';
$length = 60;
$pattern = 'abcdefghijklmnpqrstuvwxyABCDEFGHIJKLMNPQRSTUVWXY0123456789';
$hashList = array('sha256','sha384','sha512','ripemd256','ripemd320','openssl_random_pseudo_bytes');
$randNumber = mt_rand(0, 6);
for($i=0; $i<$length; $i++)
{
$string .= $pattern[rand()%strlen($pattern)];
}
switch ($randNumber) {
case 0:
return substr(hash($hashList[$randNumber],$string),0,$length);
break;
case 1:
return substr(hash($hashList[$randNumber],$string),0,$length);
break;
case 2:
return substr(hash($hashList[$randNumber],$string),0,$length);
break;
case 3:
return substr(hash($hashList[$randNumber],$string),0,$length);
break;
case 4:
return substr(hash($hashList[$randNumber],$string),0,$length);
break;
case 5:
return substr(bin2hex($hashList[$randNumber]($length)),0,$length);
break;
default:
return $string;
break;
}
It seems a bit complicated for me, verifying users email may not be the most important thing to secure, generating hash trough that function. It's unlikely to guess hash value.
I would choose only one hash function, don't just create hash value from username, email values, add some salt or random stuff into the string. Next option would be controlling how many invalid verifications has been processed and just block user to verify for some period.