47

Say I would like to generate a secure random int between 0 and 27 using:

func Int(rand io.Reader, max *big.Int) (n *big.Int, err error)

in the "crypto/rand" package.

How would I do that?

I do not really understand how this works, why does it not return one of the built in Go ints instead of pointer to some big.Int type?

EDIT:

Would this be considered secure enough for tokens?

func getToken(length int) string { token := "" codeAlphabet := "ABCDEFGHIJKLMNOPQRSTUVWXYZ" codeAlphabet += "abcdefghijklmnopqrstuvwxyz" codeAlphabet += "0123456789" for i := 0; i < length; i++ { token += string(codeAlphabet[cryptoRandSecure(int64(len(codeAlphabet)))]) } return token } func cryptoRandSecure(max int64) int64 { nBig, err := rand.Int(rand.Reader, big.NewInt(max)) if err != nil { log.Println(err) } return nBig.Int64() } func main() { fmt.Println(getToken(32)) }

This would output something like this:

qZDbuPwNQGrgVmZCU9A7FUWbp8eIfn0Z EwZVoQ5D5SEfdhiRsDfH6dU6tAovILCZ cOqzODVP0GwbiNBwtmqLA78rFgV9d3VT
Improve this question
5
  • 3
    Do you really need a "cryptographically secure pseudorandom number" ? (from the doc godoc.org/crypto/rand) If you do not, you can use godoc.org/math/rand Commented Sep 2, 2015 at 9:53
  • 2
    I need it to generate secure tokens. Like the one I showed above. I would like it if it could include all characters from the alphabet including digits. Commented Sep 2, 2015 at 9:57
  • Just saw your edit. An alternate way could be to generate a really big random int (like between 0 and the max int64) and to encode it in hexadecimal or base32. I'll add it to my answer Commented Sep 2, 2015 at 10:12
  • 2
    Normally if someone needs a cryptographically strong random number she won't need a range of [0,27] (which is 5 bit) but something much larger, more like 2048 bits which just does not fit into an int64. So a big.int is returned. Maybe you should generate a long bit sequence and simply base32 encode it? Commented Sep 2, 2015 at 10:17
  • 3
    "Cryptographically secure PRNG" and "5 bits" does not go together. At a minimum a token (say, for CSRF or session IDs) should be 256 bits. I would rethink your approach. Commented Sep 2, 2015 at 10:53

3 Answers 3

Reset to default
53

Here is some working code :

package main import ( "fmt" "crypto/rand" "math/big" ) func main() { nBig, err := rand.Int(rand.Reader, big.NewInt(27)) if err != nil { panic(err) } n := nBig.Int64() fmt.Printf("Here is a random %T in [0,27) : %d\n", n, n) }

But to generate a random token, I'd do something like this :

package main import ( "crypto/rand" "encoding/base32" "fmt" ) func main() { token := getToken(10) fmt.Println("Here is a random token : ", token) } func getToken(length int) string { randomBytes := make([]byte, 32) _, err := rand.Read(randomBytes) if err != nil { panic(err) } return base32.StdEncoding.EncodeToString(randomBytes)[:length] }
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Also see socketloop.com/tutorials/golang-how-to-generate-random-string (using base64, so more than just the alphabet and numbers en.wikipedia.org/wiki/Base64)
I'd suggest at least 24 (if not 32) bytes for any kind of tokens.
the getToken function, as currently written, only works if length is <= 56. Changing the first line in the function to randomBytes := make([]byte, length) will work for any value of length. Under the covers it will create a longer byte slice than needed but not that much more. The resulting random string will always be length long.
37

If you're generating secure tokens for session IDs, OAuth Bearer tokens, CSRF or similar: you want to generate a token of (ideally) 256 bits (32 bytes) or no less than 192 bits (24 bytes).

A token with values between (0-27) can be brute-forced in less than a second and could not be considered secure.

e.g. 

package main import ( "crypto/rand" "encoding/base64" ) // GenerateRandomBytes returns securely generated random bytes. // It will return an error if the system's secure random // number generator fails to function correctly, in which // case the caller should not continue. func GenerateRandomBytes(n int) ([]byte, error) { b := make([]byte, n) _, err := rand.Read(b) // Note that err == nil only if we read len(b) bytes. if err != nil { return nil, err } return b, nil } // GenerateRandomString returns a URL-safe, base64 encoded // securely generated random string. func GenerateRandomString(s int) (string, error) { b, err := GenerateRandomBytes(s) return base64.URLEncoding.EncodeToString(b), err } func main() { // Example: this will give us a 44 byte, base64 encoded output token, err := GenerateRandomString(32) if err != nil { // Serve an appropriately vague error to the // user, but log the details internally. } }

The base64 output is safe for headers, HTTP forms, JSON bodies, etc.

If you need an integer it may help to explain your use-case, as it would be odd for a system to require tokens as ints.

Improve this answer

2 Comments

Hi elithrar, I edited my posts. I wanted to use it to create tokens for different things such as password resets and for keys to be dealt out to people for registration for a closed website and so on.
@Aiden In that case you don't need random integers. A sufficiently random string (base64, hex, whatever) would be more than fine. My snippet above uses base64.URLEncoding to generate strings you can use in a URL - e.g. yourdomain.com/resetpassword?token=YW55m5hbCIGNhcm5hbCBwbGVhc3U= would cover that use-case. As a tip: make sure you strictly enforce a single-use and expiry date on the tokens in your backend (SQL, Redis, etc.) as there are lots of sharp edges around re-using password reset tokens that don't expire "correctly".
2

If you only need a small number (i.e. [0, 255]), you could just read a byte out of the package's Reader:

b := []byte{0} if _, err := rand.Reader.Read(b); err != nil { panic(err) } n := b[0] fmt.Println(n)

Playground: http://play.golang.org/p/4VO52LiEVh (the example won't work there, I don't know if it's working as intended or it's a playground bug).

Improve this answer

1 Comment

About the playground, there is this issue which was marked as fixed but actually isn't : github.com/golang/go/issues/5096 . I left a comment there

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.