发表新帖
发表新帖

Generate cryptographically secure random numbers in php

后端 未结
关注
16 1650
孤街浪徒
孤街浪徒 2020-11-29 07:39

PHP\'s rand() function doesn\'t give good random numbers. So I started to use mt_rand() which is said to give better results. But how good are thes

16条回答
  • [愿得一人]
    [愿得一人] (楼主)
    2020-11-29 08:23

    Quick answer:

    In a new PHP7 there is a finally a support for a cryptographically secure pseudo-random integers.

    int random_int ( int $min , int $max )

    There is also a polyfill for PHP5x.

    Longer answer

    There is no perfect random number generator, and computers use pseudorandom number generator to create sequences that looks random. The sequences look random (and pass some randomness tests) but because there is some algorithm to generate it, you can repeat algorithm with absolutely the same states and get the same result.

    The same advice as with cryptography "do not invent your own cypher" can be translated to random number generators and mean that you can not just get a lot of random number generators combined together and get expect to get a better generator.

    One of the subsets of random number generators is cryptographically secure random number generators:

    The requirements of an ordinary PRNG are also satisfied by a cryptographically secure PRNG, but the reverse is not true. CSPRNG requirements fall into two groups: first, that they pass statistical randomness tests; and secondly, that they hold up well under serious attack, even when part of their initial or running state becomes available to an attacker

    So this is pretty close to your definition of "perfect". One more time under no condition (except of learning how to do cryptography) you should try to implement one of that algorithms and use it in your system.

    But luckily PHP7 has it implemented, 

    int random_int ( int $min , int $max )

    Generates cryptographic random integers that are suitable for use where unbiased results are critical (i.e. shuffling a Poker deck).

    The sources of random are as follows:

    • On Windows CryptGenRandom() is used exclusively
    • arc4random_buf() is used if it is available (generally BSD specific)
    • /dev/arandom is used where available
    • The getrandom(2) syscall (on newer Linux kernels)
    • /dev/urandom is used where none of the above is available

    This makes all the previous answers obsolete (and some deprecated).

    0 讨论(0)
 看不清?
提交回复
热议问题