randtok: Random Token String Generation in Scheme

Neil Van Dyke

License: LGPL 3   Web: http://www.neilvandyke.org/randtok-scheme/

 (require (planet neil/randtok:1:0))

1 Introduction

The randtok library is intended for generating random strings such as for secure authentication tokens for Web site session cookies.

randtok makes fairly efficient use of bits in a scarce random byte source like /dev/random. For example, an 8-character token consisting of only the lower-case Latin letters consumes only 5 random bytes, rather than 8. In a security sensitive application, efficient use of the source might be important when using effectively random data rather than a possibly predictable pseudorandom number generator (PRNG).

Note that this code has not been tested heavily.

(make-random-token-string-maker port    
  len)  any/c
  port : any/c
  str : any/c
  len : any/c

Returns a procedure that generats random token strings of length len, using characters from string str, with random numbers drawn from input port port.

  (define random-in (open-input-file "/dev/random"))
  (define f (make-random-token-string-maker
             random-in "0123456789abcdef" 10))
  f   ==> <procedure:<random-token-string-maker>>
  (f) ==> "7dd73b9ec0"
  (f) ==> "1f7bc42210"
  (close-input-port random-in)

This is useful for using a single open file of /dev/random to generate multiple random token strings throughout the execution of a program. For example:

  (call-with-input-file "/dev/random"
    (lambda (random-in)
      (file-stream-buffer-mode random-in 'none)
      (let ((randtok (make-random-token-string-maker
                      random-in "ABCD" 10)))
        (printf "Here is a random token: ~S\n" (randtok))
        (printf "Here is another random token: ~S\n" (randtok))

Note that you may wish to disable buffering of the input port, as is done above.

(current-random-byte-file)  any/c
(current-random-byte-file x)  void?
  x : any/c

This parameter is a filename for a source of random bytes. It is used by procedure random-token-string. The default value is "/dev/random".

(random-token-string len)  any/c
  len : any/c

This is a convenient procedure for generating alphanumeric random token strings, using upper-case and lower-case Latin letters and Arabic digits. The length defaults to 8. For example:

  (random-token-string)    ==> "SW6gu2gw"
  (random-token-string)    ==> "9RjdZxyj"
  (random-token-string 20) ==> "thCOmSte6OXWByxtn0G5"

Note that reusing the output of make-random-token-string-maker will be more efficient in some cases.

3 Legal

Copyright (c) 2009 Neil Van Dyke. This program is Free Software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License (LGPL 3), or (at your option) any later version. This program is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. See http://www.gnu.org/licenses/ for details. For other licenses and consulting, please contact the author.