Generate API Client Key and Client Secret with php

Question

I am creating a custom payment processing component for Joomla. This component has an API that allows users to process payment from other sources such as Woocomerce, Wix etc. I will like to know if it is safe to generate the "Client Key" and the "Client Secret" with my own written PHP script.

//Client Key
$key = md5(microtime(true).mt_Rand());


//Client Secret
$secret = bin2hex(random_bytes(32));

If not, I will be glad if someone can point me to a more reliable script. Thank you

Answer 1

Generating a key using PHP is not inherently unsafe, as long as you take some precautions. While your question may attract a lot of opinion-based suggestions which may all be correct, I'd suggest some pointers

md5 should be avoided whenever possible. Nowadays, collision attacks for md5 are simple enough to be considered trivial even if you are using a random salt upong hash generation. You should at least use sha1 (which is also somewhat easy to collide, albeit no as easy as md5) or sha256.

There's a lot of alternatives in case you want to stay away from sha1/sha256 too, although sha256 is, by 2018 standards, secure enough as a hashing algorithm. I would, however, use something other than microtime as the hash input parameter. Even though you're salting it, it's quite predictable. Just to err on the safe side of predictability, I'd advise concatenating something extra (ie, microtime.mt_rand.something_else_which_is_also_random)

As for the secret, I'd suggest something more robust. There's no such thing as true randomness in PHP from a cryptological standpoint, so random_bytes may be more predictable and exploitable than it would seem at first glance. That, combined with the fact that bin2hex is just a conversion and not a one-way function, makes the whole secret a weak link. I'd use a longer string (32 seems weak) and combine it with something else (perhaps a bitwise XOR with a random string of equal length)