Randomness in PHP Do you think you're lucky? _php Tips

Source: Internet
Author: User
Tags cryptographically secure fread generator rand

This paper analyzes the related problems of generating random numbers for encryption. PHP 5 does not provide a simple mechanism for generating robust random numbers in cryptography, but PHP 7 solves the problem by introducing several CSPRNG functions.

One, what is csprng

Citing Wikipedia, a cryptography-safe pseudo-random number generator (cryptographically secure pseudorandom numbers generator abbreviation CSPRNG) is a pseudo-random number generator (PRNG), The pseudo random number generated by the algorithm is suitable for cryptography.

CSPRNG may be used primarily for:

    • Key generation (for example, generating complex keys)
    • Generate a random password for a new user
    • Encryption system

A key aspect of getting high level security is high quality randomness.

Ii. the csprng in the PHP7

PHP 7 introduces two new functions that can be used to implement csprng:random_bytes and Random_int.

The Random_bytes function returns a string that accepts an int parameter representing the number of bytes returned by the result.

Example:

$bytes = Random_bytes (' ten ');
Var_dump (Bin2Hex ($bytes));
Possible ouput:string () "7dfab0af960d359388e6"

The Random_int function returns an int number within a specified range.

Example:

Var_dump (Random_int (1));
Possible output:27

Third, background operating environment

The randomness of the above functions depends on the environment:

    • On Windows, CryptGenRandom () is always used.
    • On other platforms, Arc4random_buf () will be used if available (in the BSD series or on a LIBBSD system)
    • If none of the above is true, a Linux system call Getrandom (2) will be used.
    • If not,/dev/urandom will be used as the last available tool.
    • If none of the above, the system will throw an error

四、一个 a simple test

A good random number generation system ensures the proper production of "quality". In order to check this quality, a series of statistical tests are usually performed. There is no need to delve into complex statistical topics, and comparing the results of a known behavior and a digital generator can help quality evaluation.

A simple test is the dice game. Suppose 1 dice 1 times the probability of a result of 6 is 1/6, then if I throw 3 dice at the same time 100 times, the results are roughly as follows:

0 6 = 57.9 times
One 6 = 34.7 times
2 6 = 6.9 times
3 6 = 0.5 times
Here is the code that implements the dice 1,000,000 times:

$times = 1000000;
$result = [];
for ($i =0; $i < $times; $i + +) {
  $dieRoll = array (6 => 0);//initializes just the six counting to zero
  $dieRoll [ Roll ()] + + 1;  Die
  $dieRoll [Roll ()] + = 1//second die
  $dieRoll [Roll ()] + + = 1;//third die
  $result [$dieRoll [6]] + 1; Counts the Sixes
}
function Roll () {return
  random_int (1,6);
}
Var_dump ($result);

Using the PHP7 Random_int and the simple Rand function might get the following results

If we first see a better comparison of Rand and Random_int we can apply a formula to draw the results on the diagram. The formula is: (PHP results-expected results)/expected results of the 0.5-time side.

The result diagram is as follows:

(Close to 0 is a better value)

Although the 3-6 result is not good, and this test is too simple for practical applications, we can still see that random_int performance is better than Rand.

Further, the security level of our application is enhanced by unpredictability and repeatable behavior of random number generators.

Where's PHP5?

By default, PHP5 does not provide a strong random number generator. In fact, there are choices such as openssl_random_pseudo_bytes (), Mcrypt_create_iv () or using the Fread () function directly to use/dev/random or/dev/urandom devices. There are also some packages such as Randomlib or Libsodium.

If you want to start using a better random number generator and are ready to use PHP7 at the same time, you can use the Paragon Initiative Enterprises Random_compat Library. Random_compat Library allows you to 5.x project in PHP. Using Random_bytes () and Random_int ()

This library can be installed via composer:

Composer require paragonie/random_compat
require ' vendor/autoload.php ';
$string = Random_bytes (a);
Var_dump (Bin2Hex ($string));
String ($) "8757a27ce421b3b9363b7825104f8bc8cf27c4c3036573e5f0d4a91ad2aaec6f"
$int = Random_int (0,255);
Var_dump ($int);
Int (81)

Random_compat libraries and PHP7 use a different order:

Fread ()/dev/urandom if available
Mcrypt_create_iv ($bytes, Mcrypt_create_iv)
COM (' CAPICOM. Utilities.1 ')->getrandom ()
openssl_random_pseudo_bytes ()

A simple application of this library is used to generate passwords:

$passwordChar = ' 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ ';
$passwordLength = 8;
$max = strlen ($passwordChar)-1;
$password = ';
for ($i = 0; $i < $passwordLength + + $i) {
  $password. = $passwordChar [Random_int (0, $max)];
}
echo $password;
Possible Output:7rgg8ghu

Summarize

You should always use a cryptographic secure pseudo-random number generator, Random_compat library provides a good implementation.

If you want to use a reliable random data source, as you can see in this article, it is recommended that you use Random_int and random_bytes as soon as possible.

The above is about the randomness of PHP related content, I hope to help you learn.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.