Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72628 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 58265 invoked from network); 15 Feb 2014 11:59:39 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Feb 2014 11:59:39 -0000 Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.44 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.213.44 mail-yh0-f44.google.com Received: from [209.85.213.44] ([209.85.213.44:42184] helo=mail-yh0-f44.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2E/E1-45929-9A65FF25 for ; Sat, 15 Feb 2014 06:59:38 -0500 Received: by mail-yh0-f44.google.com with SMTP id f73so12782326yha.31 for ; Sat, 15 Feb 2014 03:59:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=cfQpI7bGYMTWvO8InuW1CNCQ7hWdKoYHPHhnQO3lSVI=; b=0kb5Ic+gSCLU+HzII7FTDwuIixkTEn9kV3NLW1MGe5Ismu8qVoJPjxSCW4DhiQrzpR OuktWg8vmpauRtac36g7+iq2g4ut5gB3fyV+XeNGqU3DknyrPhE1Y91h12ZdfmNOL6iG mJY+iMMeArLvZov7I3RzR54xyXspDOExClXNcr3H3kx++vBbboqWMf4h2xO6BEYX5v0I xa1BhVUqcDGvcnIwz/oagVnvuTcvYLPzBydmunIpZxMxLNXbrMEX/QApNSJXVqva0EoO x3p+AdKFOctBETJl9T1N5/QzIiBlT1dvFtAONVrNMw92H4k8DAa3CPhn68M8fIVcUq53 BKwQ== MIME-Version: 1.0 X-Received: by 10.236.10.6 with SMTP id 6mr3955853yhu.35.1392465574750; Sat, 15 Feb 2014 03:59:34 -0800 (PST) Received: by 10.170.84.139 with HTTP; Sat, 15 Feb 2014 03:59:34 -0800 (PST) In-Reply-To: References: Date: Sat, 15 Feb 2014 11:59:34 +0000 Message-ID: To: Jakub Zelenka Cc: Andrey Andreev , Pierre Joye , PHP internals Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] unify entropy source for all php related functions From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=) Hi, On 14 February 2014 15:30, Jakub Zelenka wrote: > It uses /dev/urandom for seeding PRNG. It means that it reads only 32 byt= es > (256 bits) from it. If you call openssl_random_pseudo_bytes you will get > bytes generated by PRNG > > >> - $crypto_strong will always be true on Linux (UNIX-whatever) >> > > Yes. The reason is that /dev/urandom is non-blocking and you will always > get enough entropy from it. You don't have to check the flag on Linux > because it will be always true! > > The point is that OpenSSL considers /dev/urandom strong enough for seedin= g > CSPRNG. > > Jakub There are the three categories: 1. Non-Cryptographically Deterministic PRNG 2. Entropy Input PRNG 3. Cryptographically Secure PRNG OpenSSL is the second. /dev/urandom is also the second. /dev/random is the third (after a warmup period!). Something like rand() would be in the first under the assumption that time is predictable. Those are the technical categories anyway... In reality, you can use a non-CSPRNG for cryptographic needs over the short term. If you can't, it means the damn thing is broken ;). If you have something like a long term or high value cryptographic product, you wont want to stint on entropy and you won't want to run afoul of any future issue with the entropy collection or mixing, and you're probably not going to even use a machine remotely susceptible in inactivity (which may limit the entropy sources). Be careful of taking claims at face value where definitions are in doubt. Paddy -- P=C3=A1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com Zend Framework Community Review Team Zend Framework PHP-FIG Representative