The CSPRNG function in PHP

This article mainly introduces PHP in the CSPRNG function, interested in the reference of friends, I hope to be helpful to everyone.

First, what is CSPRNG

Referring to Wikipedia, a cryptographic safe pseudo-random number generator (cryptographically secure pseudorandom number Generator abbreviation CSPRNG) is a pseudo-random numbers generator (PRNG), Its generated pseudo-random number is applicable to cryptography algorithms.

CSPRNG may be used primarily for:

• Key generation (for example, generating complex keys)

• Generate a random password for a new user

• Encryption system

A key aspect of getting high-level security is high-quality randomness

Second, the csprng in PHP7

PHP 7 introduces two new functions that can be used to implement csprng:random_bytes and Random_int.

The Random_bytes function returns a string that accepts an int type parameter that represents the number of bytes that returned the result.

Example:

$bytes = Random_bytes (' ten '); Var_dump (Bin2Hex ($bytes));//possible ouput:string ("7dfab0af960d359388e6")

The Random_int function returns a number of type int within a specified range.

Example:

Var_dump (Random_int (1));//possible output:27

Third, background operating environment

The randomness of the above functions varies depending on the environment:

• On the window, CryptGenRandom () is always used.
  

• On other platforms, Arc4random_buf () will be used if available (established on BSD series or systems with LIBBSD)
  

• If none of the above is true, a Linux system call Getrandom (2) will be used.
  

• If not,/dev/urandom will be used as the last available tool.
  

• If none of the above, the system throws an error

四、一个 a simple test

A good random number generation system guarantees the proper production of "quality". In order to check this quality, a series of statistical tests are usually performed. There is no need to delve into complex statistical topics and compare the results of a known behavior and number generator to help with quality evaluation.

A simple test is a dice game. Assuming that you throw 1 dice 1 times to get the result 6 probability is 1/6, then if I also throw 3 dice 100 times, the results are roughly as follows:

0 x 6 = 57.9 times
One 6 = 34.7 times
2 x 6 = 6.9 times
3 x 6 = 0.5 times
Here is the code that implements the dice 1,000,000 times:

$times = 1000000; $result = [];for ($i =0; $i < $times; $i + +) {  $dieRoll = array (6 = 0);//initializes just the Six  Counting to zero  $dieRoll [Roll ()] + = 1,//first die  $dieRoll [Roll ()] + = 1,//second die  $dieRoll [Roll ()] + = 1; Third Die  $result [$dieRoll [6]] + = 1;//counts the sixes}function roll () {  return random_int (1,6);} Var_dump ($result);

Using the PHP7 Random_int and the simple Rand function, you may get the following results

If we see a better comparison of Rand and Random_int first, we can apply a formula to draw the result on the graph. The formula is: (PHP results-expected results)/expected results of 0.5 times.

The result diagram is as follows:

(values closer to 0 are better)

Although the results of 3 6 were not good and the test was too simple for practical use we can still see that random_int performance is better than Rand.

Further, the security level of our application is improved by the unpredictability and repeatable behavior of the random number generator.

Summary : The above is the entire content of this article, I hope to be able to help you learn.

Related recommendations:

Example analysis of the execution cycle of PHP principle

PHP source directory structure and function description

PHP Modular Installation Detailed steps tutorial