Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:80424 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 48630 invoked from network); 12 Jan 2015 23:14:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Jan 2015 23:14:46 -0000 Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.177 as permitted sender) X-PHP-List-Original-Sender: leight@gmail.com X-Host-Fingerprint: 209.85.212.177 mail-wi0-f177.google.com Received: from [209.85.212.177] ([209.85.212.177:61378] helo=mail-wi0-f177.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 16/45-04585-56554B45 for ; Mon, 12 Jan 2015 18:14:46 -0500 Received: by mail-wi0-f177.google.com with SMTP id l15so365011wiw.4 for ; Mon, 12 Jan 2015 15:14:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=sh4a8Zm5yEW6eGuXr3Bl+egoG3IzlU52jVnGURMN3P0=; b=xVAakBj9D7M9B77WlI4yVPyL3OR+IqDd2NeRx3cytjf2aDI71NRwCvifSfNAywW3kL i+HxIBa4440w8qPZitKOb1CqSExl9OrhEWs5IZFFrzJvyAIs4LOatHzY1jYxTgrg2+xv Ob9HFb1NHoxjFQMVDZk1iZpEB18DwU0+wCOFoJ1He7H+P7wbBC3JSogit5ZJY+2FXweX MqiFLnWWnB1pSYCu9FeKJtiSGfOqJQICrySV5B1u15+UjQ6v1gCB7EIqyfxgNy4JjnIG egx/rmU8TxVL+bugZtY6R7UJn1hQAvgSr3J4jGE0XBxdCtVp+rAjVjZXkp/RqAuC8fBp 0ijw== MIME-Version: 1.0 X-Received: by 10.180.94.163 with SMTP id dd3mr35271530wib.82.1421104482077; Mon, 12 Jan 2015 15:14:42 -0800 (PST) Received: by 10.216.50.139 with HTTP; Mon, 12 Jan 2015 15:14:41 -0800 (PST) In-Reply-To: References: <54B30DB9.3000003@seld.be> <76B8D342-43E7-42E6-AD82-FCF7C5CA8658@ajf.me> <54B31D77.9010100@gmail.com> <976B7B2E-7BC9-4514-ABF3-C0DA3ED98897@ajf.me> <54B32145.80501@gmail.com> <54B32BEA.5090507@gmail.com> <54B38EA6.8070402@lerdorf.com> <47FF88D5-14F8-4844-A9DD-51532FBF3588@ajf.me> Date: Mon, 12 Jan 2015 23:14:41 +0000 Message-ID: To: internals@lists.php.net Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] rand(), mt_rand() and limits From: leight@gmail.com (Leigh) I fail at reply to all. On 12 January 2015 at 16:52, Leigh wrote: > On 12 January 2015 at 09:31, Andrea Faulds wrote: >> - To produce a repeatable sequence of random numbers (works, but only if= you and the sole user of the global random number generator, which is not= guaranteed by any means) >> > > If you're talking about the libc implementation then this is not the > case, the RNG state is not shared between processes. If you mean > across threads / web requests, then yes rand() is not reentrant, > although this is easily fixed by using rand_r() at the cost an > additional uint per thread. (MT is quite a bit more expensive to make > reentrant) > > On 12 January 2015 at 09:37, Andrea Faulds wrote: >> - To generate cryptographic keys - a seeded random number generator shou= ld NEVER be used for this, but because PHP is so lacking in good facilities= to obtain random data for cryptographic purposes, unfortunately rand() is = used more than it should be. rand() is already pretty bad, but the existenc= e of srand() makes this a particular problem. Everything shares the same ra= ndom number generator, which makes it worse, as something might seed it and= now your key is easily predictable. > > Nobody with any real desire to produce secure cryptographic keys will > use rand() for this. I've mentioned in a previous thread I would like > to see a generic get_random_bytes() function outside of any > cryptography extensions that would fall back through /dev/?random / > CryptGenRandom / MT to get the best possible random for a string of > bytes for a platform in a quick manner, instead of people trying to > loop over mt_rand(0,255) per byte.