Randomness in PHP-do you feel lucky?

This paper analyzes the problems related to generating random numbers for encryption. PHP 5 does not provide a simple mechanism to generate cryptographic strong random numbers, but PHP 7 solves this problem by introducing several CSPRNG functions.

What is CSPRNG

Referring to Wikipedia, a cryptographic safe pseudo-random number generator (cryptographically secure pseudorandom number Generator abbreviation CSPRNG) is a pseudo-random numbers generator (PRNG), Its generated pseudo-random number is applicable to cryptography algorithms.

CSPRNG may be used primarily for:

• Key generation (for example, generating complex keys)

• Generate a random password for a new user

• Encryption system

A key aspect of getting high-level security is high-quality randomness

The csprng in PHP7

PHP 7 introduces two new functions that can be used to implement csprng:random_bytes and Random_int.

The Random_bytes function returns a string that accepts an int type parameter that represents the number of bytes that returned the result.

Example:

The Random_int function returns a number of type int within a specified range.

Example:

Background run environment

The randomness of the above functions varies depending on the environment:

• On the window, CryptGenRandom () is always used.

• On other platforms, Arc4random_buf () will be used if available (established on BSD series or systems with LIBBSD)

• If none of the above is true, a Linux system call Getrandom (2) will be used.

• If not,/dev/urandom will be used as the last available tool.

• If none of the above, the system throws an error

A simple test

A good random number generation system guarantees the proper production of "quality". In order to check this quality, a series of statistical tests are usually performed. There is no need to delve into complex statistical topics and compare the results of a known behavior and number generator to help with quality evaluation.

A simple test is a dice game. Assuming that you throw 1 dice 1 times to get the result 6 probability is 1/6, then if I also throw 3 dice 100 times, the results are roughly as follows:

• 0 x 6 = 57.9 times

• One 6 = 34.7 times

• 2 x 6 = 6.9 times

• 3 x 6 = 0.5 times

Here is the code that implements the dice 1,000,000 times:

$times = 1000000; $result = []; for ($i =0; $i < $times; $i + +) {     $dieRoll = array (6 = 0);//initializes just the six counting to zero     $dieRoll [ Roll ()] + = 1;  First Die     $dieRoll [Roll ()] + = 1,//second die     $dieRoll [Roll ()] + = 1,//third die     $result [$dieRoll [6]] + = 1; Counts the Sixes} function roll () {     

Using the PHP7 Random_int and the simple Rand function, you may get the following results

Sixes	Expected	Random_int
0	579000	579430
1	347000	346927
2	69000	68985
3	5000	4658

If we see a better comparison of Rand and Random_int first, we can apply a formula to draw the result on the graph. The formula is: (PHP results-expected results)/expected results of 0.5 times.

The result diagram is as follows:

(values closer to 0 are better)

Although the results of 3 6 were not good and the test was too simple for practical use we can still see that random_int performance is better than Rand.

Further, the security level of our application is improved by the unpredictability and repeatable behavior of the random number generator.

Where's PHP5?

By default, PHP5 does not provide a strong random number generator. In fact, there are options such as openssl_random_pseudo_bytes (), Mcrypt_create_iv () or directly using the Fread () function to use/dev/random or/dev/urandom devices. There are also some packages such as Randomlib or Libsodium.

If you want to start using a better random number generator and are ready to use PHP7 at the same time, you can use Paragon Initiative Enterprises Random_compat Library. Random_compat Library allows you to use Random_bytes () and Random_int () in PHP 5.x

This library can be installed via Composer:

Composer require Paragonie/random_compat  

Random_compat libraries and PHP7 are used in different order:

Want to know why this sequence is recommended for reading documentation.

A simple application of this library is used to generate passwords:

$passwordChar = ' 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ '; $passwordLength = 8; $max = strlen ($passwordChar)-1; $password = "; for ($i = 0; $i < $passwordLength; + + $i) {     

Summarize

You should always use a cryptography-safe pseudo-random number generator, and the Random_compat library provides a good implementation.

If you want to use reliable random data sources, as you can see in this article, it is recommended to use Random_int and random_bytes as soon as possible.

Link: http://www.codeceo.com/article/php-random.html

English original: Randomness in Php–do you feel Lucky?

