Is it possible to predict rand(0,10) in PHP?

Question

I have a script where I use the rand function in PHP. Now I read some ghost stories that its real easy to predict those outcomes. Is this possible from the client-side?

Answer 1

You'd have to brute-force the state of the PRNG. http://crypto.di.uoa.gr/CRYPTO.SEC/Randomness_Attacks_files/paper.pdf

PHP's rand() uses the underlying standard library implementation, this is different based on the operating system.

So first step, define the operating system.

Next step, get the source code for the Rand() function and the code that seeds it.

For simplicity lets assume the seed for the PRNG is something like the millisecond time of the server. So, the HTTP request comes in, PHP seeds the PRNG and executes rand(0,10). If you want to predict that you would...

• Sync your client's clock to the server's, statistically deriving the exact time from sending HTTP request to the server and reading the response HTTP header with the time stamp.

• Seed your client PRNG (that is the same implementation as the server's) with a predicted future time that you will request rand(0,10) from the server. Run rand(0,10) on the client, send the request at the exact future time to the server and the results would be the same.

• Ping times, processing times, etc make this a fairly brute-force approach.

Really, over the internet (not having direct access to the server), you aren't going to have much luck predicting the results of PHP's rand() function.