Generate cryptographically secure random numbers in php

Question

PHP\'s rand() function doesn\'t give good random numbers. So I started to use mt_rand() which is said to give better results. But how good are thes

Answer 1

I made a PHP class for generating random numbers and strings PHPRandomValue

It uses "mcrypt_create_iv(4, MCRYPT_DEV_URANDOM)" to generate random numbers and values. I made it while working on a crypto project because I needed a safe random value generator. Here's an example usage

$randomValue = new RandomValue;

$randomValue->randomNumber(): = -3880998

$randomValue->randomNumberBetween(1,10): = 2

$randomValue->randomTextString(): = CfCkKDHRgUULdGWcSqP4

$randomValue->randomTextString(10):  = LorPIxaeEY

$randomValue->randomKey(): = C7al8tX9.gqYLf2ImVt/!$NOY79T5sNCT/6Q.$!.6Gf/Q5zpa3

$randomValue->randomKey(10):  = RDV.dc6Ai/

Answer 2

Quick answer:

In a new PHP7 there is a finally a support for a cryptographically secure pseudo-random integers.

int random_int ( int $min , int $max )

There is also a polyfill for PHP5x.

Longer answer

---

There is no perfect random number generator, and computers use pseudorandom number generator to create sequences that looks random. The sequences look random (and pass some randomness tests) but because there is some algorithm to generate it, you can repeat algorithm with absolutely the same states and get the same result.

The same advice as with cryptography "do not invent your own cypher" can be translated to random number generators and mean that you can not just get a lot of random number generators combined together and get expect to get a better generator.

---

One of the subsets of random number generators is cryptographically secure random number generators:

The requirements of an ordinary PRNG are also satisfied by a cryptographically secure PRNG, but the reverse is not true. CSPRNG requirements fall into two groups: first, that they pass statistical randomness tests; and secondly, that they hold up well under serious attack, even when part of their initial or running state becomes available to an attacker

So this is pretty close to your definition of "perfect". One more time under no condition (except of learning how to do cryptography) you should try to implement one of that algorithms and use it in your system.

---

But luckily PHP7 has it implemented,

int random_int ( int $min , int $max )

Generates cryptographic random integers that are suitable for use where unbiased results are critical (i.e. shuffling a Poker deck).

The sources of random are as follows:

• On Windows CryptGenRandom() is used exclusively
• arc4random_buf() is used if it is available (generally BSD specific)
• /dev/arandom is used where available
• The getrandom(2) syscall (on newer Linux kernels)
• /dev/urandom is used where none of the above is available

This makes all the previous answers obsolete (and some deprecated).

Answer 3

I wrote a cronjob that gets 1000 numbers from random.org periodically (say, once an hour) and added them into a PHP array. Whenever I want random numbers in my script, I use mt_rand(0,1000) to call a number from that. A few extra microseconds of overhead, but I get truly random numbers based on natural atmospheric noise.

Answer 4

In what way is mt_rand() "bad"?

For example: If it favors a certain number. Lets say mt_rand(1, 10) favours low numbers in the range, ie "1" and "2" occurs on average more than 10% each. Then your "improvement" would still suffer from the same problem.

Selecting a random number out of a faulty sequence will still be faulty.