Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:68773
Return-Path: <bryan@ravensight.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 34674 invoked from network); 31 Aug 2013 01:17:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 31 Aug 2013 01:17:59 -0000
Authentication-Results: pb1.pair.com smtp.mail=bryan@ravensight.org; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=bryan@ravensight.org; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain ravensight.org from 209.85.219.52 cause and error)
X-PHP-List-Original-Sender: bryan@ravensight.org
X-Host-Fingerprint: 209.85.219.52 mail-oa0-f52.google.com  
Received: from [209.85.219.52] ([209.85.219.52:63995] helo=mail-oa0-f52.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DF/A6-00443-54441225 for <internals@lists.php.net>; Fri, 30 Aug 2013 21:17:58 -0400
Received: by mail-oa0-f52.google.com with SMTP id f4so3129552oah.11
        for <internals@lists.php.net>; Fri, 30 Aug 2013 18:17:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:from:to:references:in-reply-to:subject:date
         :message-id:mime-version:content-type:content-transfer-encoding
         :thread-index:content-language;
        bh=sXagxjEeWHgFQNzRi9I7ZZ9ayL/Ul6IVW2lfsq+mmX4=;
        b=ZMx+fb4oQ+CyCXqHwebpr+0Egx+EayXyUa/MRge6vt23GgWJwNJYgzHXJGoYD+hN2i
         iXSovFzyVerlSqo40vH5brB7bRu5qWZTGOYQw23LM9Bbb2dpZUzLa4ySZTj2GLNU9w9M
         nVGEqG6Exe+0MNWG3/bx4wjTuWhpjbtP0iNJypKtdghEcC5A5844U5YCPj3zSp1LbknQ
         cQM9hpFMiazebIuLxxhRaSJ/+FwGZF/kZ+wa7MCQcK0Z0xNHdR6GZYmCF31R49CRmKq7
         YdOKT6K+0I8QTkcBa4eKViPQ8B4MVyy6YXUFrbeq3ZZKzNhSR5gkIKoMnFH1y8mFraxv
         GSPQ==
X-Gm-Message-State: ALoCoQm0QeGPSeA6h2obBZeXMF1TSL0de5o8Rs/0l4fsNHIk3NG1TUvVikC4LiIDnqq7GdrMLd5E
X-Received: by 10.182.87.170 with SMTP id az10mr9128719obb.10.1377911874857;
        Fri, 30 Aug 2013 18:17:54 -0700 (PDT)
Received: from Genie (108-202-93-53.lightspeed.mssnks.sbcglobal.net. [108.202.93.53])
        by mx.google.com with ESMTPSA id s14sm1017292oeo.1.1969.12.31.16.00.00
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Fri, 30 Aug 2013 18:17:54 -0700 (PDT)
To: "'Marc Bennewitz'" <php@marc-bennewitz.de>,
	<internals@lists.php.net>
References: <521E64B6.30703@marc-bennewitz.de> <521F37E5.5040203@gmail.com> <CAGa2bXbcEZDUwmvTWdp3E73oytjSbLyYT7YA+E=KBQt5UAv-AA@mail.gmail.com> <5220F973.5000000@marc-bennewitz.de>
In-Reply-To: <5220F973.5000000@marc-bennewitz.de>
Date: Fri, 30 Aug 2013 20:17:47 -0500
Message-ID: <001701cea5e7$e872d030$b9587090$@org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac6lu2mh6pPkIyhPTH2nrZfqfrk7LgAK4IxQ
Content-Language: en-us
Subject: RE: [PHP-DEV] More powerful (and backward compatible) API of random number generator functions
From: bryan@ravensight.org ("Bryan C. Geraghty")

First, I want to ask: Does anyone else think we should draw a =
distinction between RNGs and CSPRNGs?

I ask this because the OpenSSL option here is the only CSPRNG; The =
others are trivially breakable and should not be used for cryptographic =
applications. I could see an argument for wanting to use them in =
non-security contexts but I'm wondering if the API should make it clear =
when that is being done.

Secondly, a good place to look for defining a standard secure CSPRNG is =
FIPS 1402 Annex C =
(csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf=E2=80=8E)

Bryan

-----Original Message-----
From: Marc Bennewitz [mailto:php@marc-bennewitz.de]=20
Sent: Friday, August 30, 2013 2:59 PM
To: internals@lists.php.net
Subject: Re: [PHP-DEV] More powerful (and backward compatible) API of =
random number generator functions

Am 30.08.2013 04:30, schrieb Yasuo Ohgaki:
> On Thu, Aug 29, 2013 at 9:00 PM, =C3=81ngel Gonz=C3=A1lez =
<keisial@gmail.com> wrote:
>=20
>> Marc Bennewitz wrote:
>>
>>> Idea for an RFC for a more powerful (and backward compatible) API of =

>>> random number generator functions.
>>>
>>> The following psaudocode is self explained (hopfully)
>>>
>>> const RAND_ALGO_LIBC
>>> const RAND_ALGO_MERSENNE_TWISTER
>>> const RAND_ALGO_OPENSSL
>>> const RAND_ALGO_GMP
>>>
>> (...)
>>
>>> What do you think?
>>>
>>
>> Why do you want them?
>=20
>=20
> This proposal is good because we need the best random function=20
> available in a system with easy to use API. I would like to see the=20
> best algorithm in a system as default.
>=20

Defining the "best" algorithm as the standard default would be great but =
what is the best algorithm? Some are fast but less secure and other are =
more secure but slow.

Some times ago i read a feature request to implement the mersenne =
twister algorithm for rand/shuffle/array_rand but this was closed =
because it would be a bc break. (can't find it new).

Best Regards
Marc

--
PHP Internals - PHP Runtime Development Mailing List To unsubscribe, =
visit: http://www.php.net/unsub.php