Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:97911 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 4086 invoked from network); 21 Jan 2017 12:33:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Jan 2017 12:33:58 -0000 Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.17.20 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.17.20 mout.gmx.net Received: from [212.227.17.20] ([212.227.17.20:55182] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 38/CD-00729-53553885 for ; Sat, 21 Jan 2017 07:33:57 -0500 Received: from [192.168.2.109] ([217.82.227.219]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MEsXW-1cjnEI0lUw-00FzWH; Sat, 21 Jan 2017 13:33:44 +0100 To: Yasuo Ohgaki , "internals@lists.php.net" References: Message-ID: <46d4326d-bf08-3104-c7b0-765202d4213c@gmx.de> Date: Sat, 21 Jan 2017 13:34:06 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:Ha7A06ruXQ2jrkod+b0dgIubv6qfqz0BXHLao9u0voZdwBI7csk ro8dktG9S67XUXiquV7P2qrvAZEUFu15Em0J0s9KBNrIBxvXyHEJaCdsQk5EC7pkEuGFQAe 38ofGzmOCu6x7LtIirgk1QuU1t72oeUL5hLWwva2uPLUlVFiUigqZFUndGD3ODuNKBsBiGh Wd+1YeI3RSZR5RC7tXR2g== X-UI-Out-Filterresults: notjunk:1;V01:K0:OsIAnckDQTA=:kUdqFVqt0AkXwcBk23EJTT g3kdxLqeFgwVz+iw7RxvNQA7e1wOZ+75hGYqTnneyM9iCIXr8gLdWLRGPgrf7ANB61LryxlLH 9llTVvkKFEu4B/Ei9yq/gJCCTI156IMe2c5XLE7jMWjZ2gnNRTlgCK5swYv1UMHvXqn/JdzHO 4+ijFISLdgFLWEqf6LrJm64NYJMxPuU5lzoHTgaUKxrQo02yFWsilqypaeAEZrqavQhBu2YC1 kYlKUzE+jdnB8IL0c2YcSJ7jurr3exbRmt27QXofPqR9ToH1r03+tJm1PJSn3TB8Va3wNa+iE /tIqFuZbHWkm3rSj12S8APOyuQMQCPpc7m9HlNptwD8yHgTL9mxFK77glCzVjQVviTaXr3KU1 a9pGiSUdad906R2ugNZc6zB6ZXE/j+3wqO4TM7UMHYf/45ZiOm4BWqMUo/P/AIlUXNouSJNmv 11gGNPj872XtxORoXMERztDI8WmTyyQE5lHBQoM80Se1nLrF/a76+mJg1PJ7jQIls9B0mElsv VEWY8WkzSt9/o+qV96Fi5CrUy+esFJW/Nj45495lGs87aZEAiNlfTfSvaZNO/2WH+eDVLtULK VmbRmmpBxtLZ0C0g1LBwqPWB6ml9cPtnjtNMugZ0dVpnYYcjWMQHUHx0iTAUOkfM2yZI04Z2d v9/dXUkSia8xwHYm6VrpMTK89RaycecGmW2UbgRlBNQdp2oifsFKA0DyoV2DkFoeqQmqXLttO cChmK+6PLDFfDhQHDRRusVkvXM4qxaFKXmMV2f3g/ak1IZtemB43Jxe2iddn/1iY1kU+8VbUR RvDF6Zo Subject: Re: Improving mt_rand() seed From: cmbecker69@gmx.de ("Christoph M. Becker") On 16.01.2017 at 08:04, Yasuo Ohgaki wrote: > Since I was about to improve uniqid()'s entropy by replacing > php_combined_lcg() to php_random_int(), I spent time to check other places > that could be a problem. > > mt_rand()'s is seeded as follows by default. > > ext/standard/php_rand.h > #ifdef PHP_WIN32 > #define GENERATE_SEED() (((zend_long) (time(0) * GetCurrentProcessId())) ^ > ((zend_long) (1000000.0 * php_combined_lcg()))) > #else > #define GENERATE_SEED() (((zend_long) (time(0) * getpid())) ^ ((zend_long) > (1000000.0 * php_combined_lcg()))) > #endif > > We know this kind of seed is guessable. But where's the problem? mt_rand() is not suitable for cryptographic purposes anyway. > i.e. Our session id is compromised > by this kind of code. Does the session ID rely on mt_rand() or GENERATE_SEED()? If so, that would of course be an issue, but that should be fixed by not using mt_rand()/GENERATE_SEED() for the session ID at all, IMHO. -- Christoph M. Becker