Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94431 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 34474 invoked from network); 8 Jul 2016 08:40:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Jul 2016 08:40:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.66 as permitted sender) X-PHP-List-Original-Sender: leight@gmail.com X-Host-Fingerprint: 209.85.215.66 mail-lf0-f66.google.com Received: from [209.85.215.66] ([209.85.215.66:34422] helo=mail-lf0-f66.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A6/12-18622-8E66F775 for ; Fri, 08 Jul 2016 04:40:09 -0400 Received: by mail-lf0-f66.google.com with SMTP id a10so2934676lfb.1 for ; Fri, 08 Jul 2016 01:40:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=65SuqUP87IwZ86phYyYx3j/+qunaekN83JJYBY7N85s=; b=bWTQc79XvXhLXqW3k1EwRM8ea2n4aLptMlYfAckpa2Z93qug9EtqLkpOQTuvLj05Wd Mm/gK0I06WMmXrlILy+WeaUn1OpcTNn9Rb1in4PxO1eBnc0D5XA23hw/l3aeeAPslHz8 qreXZ5N8JGX+leFwh+gL5YVdHtPXfQ7O8q1m5BSzunSDwpsH+b8C4Wqzdqlhu0nJNXwY JNNbZnMq5lkeAvClIs8RXNCya69S/cigczwbJMQV3/Q538E80Nw4o9DHmghwW9idKNfx fkxVa5H812Cva3785G1xjflE8UvwUgwnYVRDGVrw3qvOfMKyWn9GKYdc+6/8FGN5co// MItA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=65SuqUP87IwZ86phYyYx3j/+qunaekN83JJYBY7N85s=; b=bNuVdMJi7xgyf7OmGe39e/h1ui3DAY7+K85tx4acOhYjYUVD3bco82/+MSbphj5RNO +NjNHP6p3e8OPYTJ9xXfRjTvQcCiWRcy8wZ5+JmkTjsNpnzzImKj/R7L5tFEsG3KUI7B EWVtOZWXexEE8018ZbRnfJZLfBlbpICXSDZ7gmBDwc5y8M9hL+TUk+fYwkH/s9K8zV3x cja82GPa5LIAgQj2NtYnCtvkblqr8YeOZv5+UMyAPPipHCdlx0e1WdToqXB/DgzJflMF Kdza9ea7t1jHFfat614O86UM676kku6N+n1WqqdMcbO1vIXcQFDgnbTxPyL60+q9ipGj n7bA== X-Gm-Message-State: ALyK8tLcSS0yUfKLdkY+iDnCYncGPWJ1rPLKpDI13DIn9fFzLI70c7H+gbmmifEZicJN1NCvxIQeOQ/KN6p8vQ== X-Received: by 10.25.136.11 with SMTP id k11mr1013396lfd.134.1467967205690; Fri, 08 Jul 2016 01:40:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.27.77 with HTTP; Fri, 8 Jul 2016 01:40:04 -0700 (PDT) In-Reply-To: References: Date: Fri, 8 Jul 2016 09:40:04 +0100 Message-ID: To: Dan Ackroyd Cc: Pierre Joye , Yasuo Ohgaki , Dan Ackroyd , PHP internals , Stanislav Malyshev Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Session ID without hashing From: leight@gmail.com (Leigh) On 7 July 2016 at 21:33, Dan Ackroyd wrote: >> I think we need to drop the concerns about exposing "RNG state". >> >> If these are weak RNGs on your system, YOUR SYSTEM is broken. > > Telling people that their system is broken isn't going to be > comforting to the people it happens to. Of course it isn't. If I find out suddenly that /dev/urandom is somehow predictable I would be incredibly uncomfortable. However the least of my worries would be PHPs session id generation. > There are always bugs in software and hardware. At some point it is > almost inevitable that there will be some information leak through > exposing the random numbers directly. Just telling people that their > system is broken and they need to buy need hardware immediately, > rather than just being able to re-enable hashing seems a bad choice. I feel like we're back to the discussions around random_bytes() again. The random number generators being used here are designated CS for a reason. They are not like deterministic RNGs where you can give them simple seed and produce the same set of outputs. They draw on environmental noise for additional entropy and where appropriate they reseed regularly, far before any useful statistical information can be gathered. In the case of urandom it actually performs a SHA1 on its pool, CryptGenRandom mixes in data that has been MD4 hashed, arc4random_buf is literally a stream cipher. These are well maintained and vetted systems. An extra round of hashing is simply unnecessary overhead. > But even without accidental bugs, the scenario I am remain concerned > with is when a piece of hardware or software is compromised by a > sophisticated attacker, (hello NSA!) and the 'random' numbers > generated have some subtle pattern to them. To almost everyone, the > random numbers generated would still look random. But to the > organisation that compromised the system, and so knows the algorithm > that is leaving traces in the random sequences, exposing the random > numbers directly to the outside world would be an obvious but almost > untraceable line of attack on the system. I know it's easy to say: If your system has been compromised you have bigger problems. But this is pretty much the fact of it. If someone has the ability to make your system CSPRNG predictable, they can almost certainly get anything else they want from the system anyway without resorting to that.