Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72993 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 72743 invoked from network); 7 Mar 2014 15:56:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 Mar 2014 15:56:52 -0000 Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.173 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.214.173 mail-ob0-f173.google.com Received: from [209.85.214.173] ([209.85.214.173:55565] helo=mail-ob0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F3/52-57079-C3CE9135 for ; Fri, 07 Mar 2014 10:56:46 -0500 Received: by mail-ob0-f173.google.com with SMTP id gq1so4287973obb.32 for ; Fri, 07 Mar 2014 07:56:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=iZUaGDz5/SCjhBsLOxhje7R0F26fiMJOySarWQgJIgo=; b=JGpIhJvPEcul6qBIpoSs8TOdABSjot8jNND5qiAGMQB4uXTDnkOiC6lvTdrJ/f9E8D tK/QTwNJYqO9YGs5Eu+5PwoiYzLtTyZtlaWNNJGMD573Vpd4SLnjMi99YHv+EycXZUr3 nmgXus7KHopyd4AQyu2LyTBRB+HF/muwilPwnJlammwVVmKNlE48jUpMktqhfRdgJ9iX 6tKR0CWC6VUSD4atPh3oIG6dF3X4MWmjNG2f+DS9+e8owtzagPqaTBU77n52UJgYTVyI pPPE4KvFrahZ90+pkN4zNGdMEA/fllEFlZOsewOWd9TW/skx66xAapV8KSgwS0ZlLvex 1HKg== MIME-Version: 1.0 X-Received: by 10.60.132.142 with SMTP id ou14mr7993726oeb.48.1394207802060; Fri, 07 Mar 2014 07:56:42 -0800 (PST) Received: by 10.182.69.101 with HTTP; Fri, 7 Mar 2014 07:56:42 -0800 (PST) Date: Fri, 7 Mar 2014 16:56:42 +0100 Message-ID: To: PHP internals Content-Type: multipart/alternative; boundary=047d7b4724a2c8f8ed04f4064cb6 Subject: Default mcrypt_create_iv() to /dev/urandom From: nikita.ppv@gmail.com (Nikita Popov) --047d7b4724a2c8f8ed04f4064cb6 Content-Type: text/plain; charset=ISO-8859-1 Hi internals! Currently the mcrypt_create_iv() function uses /dev/random as the default source for random bytes. This is problematic, because /dev/random will block if entropy for reseeding the kernel's CSPRNG is estimated to be low. If mcrypt_create_iv() with default parameters is used in any kind of user-facing code the blocking will cause unpredictable slowdowns and can be easily exploited for a denial of service attack. /dev/urandom - contrary to popular misconception - is also a cryptographically safe source of randomness and is recommended over the use of /dev/random for most (sometimes all) applications [1] [2] [3] [4] [5]. Quoting from the /dev/random man page [1]: > If you are unsure about whether you should use */dev/random* or > */dev/urandom*, then probably you want to use the latter. As a > general rule, */dev/urandom* should be used for everything except > long-lived GPG/SSL/SSH keys. [*] One potential issue when using /dev/urandom is that on some systems (notably Linux, but not BSD) it will not block even if it can't gather enough initial entropy for seeding the CSPRNG and as such produce predicable outputs. This condition can only occur immediately after system startup and as per the /dev/random man page [1] this is mitigated by "all major Linux distributions [...] since 2000 at least" by saving a seed file. As such I would suggest defaulting the mcrypt_create_iv() $source parameter to MCRYPT_DEV_URANDOM. Objections? Nikita [*] The latter claim is disputed, see for example the end of [4]. [1]: http://man7.org/linux/man-pages/man4/random.4.html [2]: http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/ [3]: http://security.stackexchange.com/questions/3936/is-a-rand-from-dev-urandom-secure-for-a-login-key/3939#3939 [4]: http://blog.cr.yp.to/20140205-entropy.html [5]: http://www.2uo.de/myths-about-urandom/ --047d7b4724a2c8f8ed04f4064cb6--