From 99b5dccf16bb80e1552728ca12ed9cfb216668fb Mon Sep 17 00:00:00 2001 From: Marius Lindvall Date: Thu, 12 Dec 2019 11:34:56 +0100 Subject: [PATCH] Don't use O and 0 in upper/mixed case IDs; fixes #91 --- backend-php/include/config-sample.php | 15 ++++++++------- backend-php/include/inc.php | 20 ++++++++++++-------- 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/backend-php/include/config-sample.php b/backend-php/include/config-sample.php index 104a151..e58b56c 100644 --- a/backend-php/include/config-sample.php +++ b/backend-php/include/config-sample.php @@ -137,21 +137,22 @@ // // | Link style | Example | No. of combinations | Avg. bruteforce time | // +----------------------------+---------------------------------------+-----------------------+-------------------------------+ -// | LINK_4_PLUS_4_UPPER_CASE | EIRG-0CYE | 2.82 * 10^12 (36^8) | 44.7 years | +// | LINK_4_PLUS_4_UPPER_CASE | V8LQ-H2UM | 1.79 * 10^12 (34^8) | 28.3 years | // | LINK_4_PLUS_4_LOWER_CASE | qae3-ulna | 2.82 * 10^12 (36^8) | 44.7 years | -// | LINK_4_PLUS_4_MIXED_CASE | WRho-uHLG | 1.68 * 10^14 (60^8) | 2663 years | +// | LINK_4_PLUS_4_MIXED_CASE | HEq3-tgJ1 | 1.28 * 10^14 (58^8) | 2030 years | // | LINK_UUID_V4 | 09c8a3b1-e78f-48b1-a604-0da49e99cb5d | 5.32 * 10^36 (2^122) | 84.2 septillion years | // | LINK_16_HEX | 6cde14c4c6551b41 | 1.84 * 10^19 (2^64) | 292 million years | -// | LINK_16_UPPER_CASE | 49OFGRK6SGPU93KV | 7.95 * 10^24 (36^16) | 126 trillion years | +// | LINK_16_UPPER_CASE | WVHA2FNMRT9HSKJK | 3.19 * 10^24 (34^16) | 50.6 trillion years | // | LINK_16_LOWER_CASE | bdyslxszs14cj359 | 7.95 * 10^24 (36^16) | 126 trillion years | -// | LINK_16_MIXED_CASE | NTHX2HDsTn0kS3aj | 2.82 * 10^28 (60^16) | 447 quadrillion years | +// | LINK_16_MIXED_CASE | 1Ayh2yUXDe3sdF3S | 1.64 * 10^28 (58^16) | 260 quadrillion years | // | LINK_32_HEX | 22adf21f11491ae8f3ae128e23a6782f | 3.40 * 10^38 (2^128) | 5.39 octillion years | -// | LINK_32_UPPER_CASE | MG42MW2DKIMHM87B4AO0WAB2PIY26TR1 | 6.33 * 10^49 (36^32) | 1 duodecillion years | +// | LINK_32_UPPER_CASE | R88M1Z2KPL27XN8MF73KCRYPHJD4QQMT | 1.02 * 10^49 (34^32) | 161 undecillion years | // | LINK_32_LOWER_CASE | itgbolrbq1c02eot5o46c5wixhdrdb5m | 6.33 * 10^49 (36^32) | 1 duodecillion years | -// | LINK_32_MIXED_CASE | cTK82MJ7rUOP138WNVznQR0Ck3BwZp6b | 7.96 * 10^57 (60^32) | 12.6 quattuordecillion years | +// | LINK_32_MIXED_CASE | qf5pqr2UKTUT6vREPPSTuqSKkCMojF17 | 2.69 * 10^56 (58^32) | 4.26 quattuordecillion years | // // For any MIXED_CASE variants, upper-case I and lower-case L will not appear -// because they are visually very similar and are easily confused. +// because they are visually very similar and are easily confused. For the same +// reason, MIXED_CASE and UPPER_CASE variants will not generate 0 and O. // // The default value is LINK_4_PLUS_4_UPPER_CASE, which is still considered very // secure. The bruteforce times in the table below are the average time it would diff --git a/backend-php/include/inc.php b/backend-php/include/inc.php index 6546c21..cac2854 100644 --- a/backend-php/include/inc.php +++ b/backend-php/include/inc.php @@ -334,12 +334,14 @@ class Share { break; case LINK_16_MIXED_CASE: // 16-char mixed-case alphanumeric string. - $alpha = "0123456789ABCDEFGHJKLMNOPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"; + // '0', 'O', 'l' and 'I' not included because of visual similarity. + $alpha = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"; for ($i = 0; $i < 16; $i++) $s .= $alpha[random_int(0, strlen($alpha)-1)]; break; case LINK_16_UPPER_CASE: // 16-char upper-case alphanumeric string. - $alpha = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; + // '0' and 'O' not included because of visual similarity. + $alpha = "123456789ABCDEFGHIJKLMNPQRSTUVWXYZ"; for ($i = 0; $i < 16; $i++) $s .= $alpha[random_int(0, strlen($alpha)-1)]; break; case LINK_32_HEX: @@ -353,13 +355,14 @@ class Share { break; case LINK_32_MIXED_CASE: // 32-char mixed-case alphanumeric string. - // 'l' and 'I' not included because of visual similarity. - $alpha = "0123456789ABCDEFGHJKLMNOPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"; + // '0', 'O', 'l' and 'I' not included because of visual similarity. + $alpha = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"; for ($i = 0; $i < 32; $i++) $s .= $alpha[random_int(0, strlen($alpha)-1)]; break; case LINK_32_UPPER_CASE: // 32-char upper-case alphanumeric string. - $alpha = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; + // '0' and 'O' not included because of visual similarity. + $alpha = "123456789ABCDEFGHIJKLMNPQRSTUVWXYZ"; for ($i = 0; $i < 32; $i++) $s .= $alpha[random_int(0, strlen($alpha)-1)]; break; case LINK_4_PLUS_4_LOWER_CASE: @@ -370,15 +373,16 @@ class Share { break; case LINK_4_PLUS_4_MIXED_CASE: // 4+4-char mixed-case alphanumeric string. - // 'l' and 'I' not included because of visual similarity. - $alpha = "0123456789ABCDEFGHJKLMNOPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"; + // '0', 'O', 'l' and 'I' not included because of visual similarity. + $alpha = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"; for ($i = 0; $i < 8; $i++) $s .= $alpha[random_int(0, strlen($alpha)-1)]; $s = substr($s, 0, 4)."-".substr($s, -4); break; case LINK_4_PLUS_4_UPPER_CASE: default: // 4+4-char upper-case alphanumeric string. - $alpha = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; + // '0' and 'O' not included because of visual similarity. + $alpha = "123456789ABCDEFGHIJKLMNPQRSTUVWXYZ"; for ($i = 0; $i < 8; $i++) $s .= $alpha[random_int(0, strlen($alpha)-1)]; $s = substr($s, 0, 4)."-".substr($s, -4); break;