Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:97984 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60860 invoked from network); 27 Jan 2017 10:58:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Jan 2017 10:58:15 -0000 Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.53 as permitted sender) X-PHP-List-Original-Sender: leight@gmail.com X-Host-Fingerprint: 209.85.215.53 mail-lf0-f53.google.com Received: from [209.85.215.53] ([209.85.215.53:33576] helo=mail-lf0-f53.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 59/96-28703-5C72B885 for ; Fri, 27 Jan 2017 05:58:14 -0500 Received: by mail-lf0-f53.google.com with SMTP id x1so73312348lff.0 for ; Fri, 27 Jan 2017 02:58:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=5dv58niuIzOyGzu4nSXDaxY30ZJeO9qfkVMCtOncaLc=; b=bHPhK1kaYdFbM8CIsQJ3pN/OKFAhCM1dAuSPgQbXQVqAp4bqmKsvnYtWnC6C38CfII 9PPM1YXfjyvLlrxIUH0+tsIuDVU3vnxjIeY3vGMkcm8a7omsr6modwacVDdd1DNuJa9N KQgHtn27AEMTJThWJ6TKWX57L0jYUER/ifP1P25ZT/l2g8RMbriitRhib8YM+rZg+Mly sSoK9wncbMCqnmeFvFBMSIAZZNUo8jXnpruw+UxKhn6y/CZCVvrAtqg+3aGfqFnKpGbS XoiSyy8gYwTnVpX6GFqdeGAWcK/uBnzGELYXdtE2KQsjkoFY9gK3r6RPesb1ZmyLO9qe HAjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=5dv58niuIzOyGzu4nSXDaxY30ZJeO9qfkVMCtOncaLc=; b=D7ZUgECYd4gsSVlbFCn3ACOUOB+Dml1qFl/KVjzsoKnPjxQAl6N1jNcpNmkr3lAPtq fNLLenH6K4hMFlNM7SyX2ahheFKV1Ctos5u5wrUWrAav0Rk4uO3uhaCAQUe4Tia1ewsD xI9rpcLOi9yWfxN1qqxGuKLrsbpMcMk6HcAWBz8EP5wZbGCTdsDXlr/Duqbj9lROJiH0 2/U9jpyCE9A5jQG9jCrAG2nUf17Wg7LjAcOQREKSwAjGubambTx6jNQd8lQ7uUlgF9C8 /Wz3lgeiSgKB+cx+KS2T2+8eXSfotnVtg8b/TbqvqMzljw5WPIqOil8H+0Y5pGBRtK/3 e3fg== X-Gm-Message-State: AIkVDXLYnp6AhLfxVcmeRdYHdR4QJeHIxXJhPKqMu2eRaiSToE3ldH6oHDMHjXWT9uLAdRJa/9XrPwN6PxF+mQ== X-Received: by 10.46.8.82 with SMTP id g18mr2686596ljd.55.1485514689909; Fri, 27 Jan 2017 02:58:09 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.193.83 with HTTP; Fri, 27 Jan 2017 02:58:09 -0800 (PST) In-Reply-To: References: <71c26cd6df6f59e76dafd31647852c2e@koti.fimnet.fi> <142a3537a99809cf23d78e0eaadc3aef@gmail.com> <7a359bb08b0ad8b046534c15492cec91@gmail.com> <8cfe7a3ea5a05fc3e5347e9af848ada0@gmail.com> Date: Fri, 27 Jan 2017 10:58:09 +0000 Message-ID: To: Yasuo Ohgaki Cc: Niklas Keller , =?UTF-8?Q?Lauri_Kentt=C3=A4?= , Nikita Popov , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Re: Improving mt_rand() seed From: leight@gmail.com (Leigh) On 27 January 2017 at 02:52, Yasuo Ohgaki wrote: > Since mt_rand is predictable PRNG, there is possibility to be known to > attackers always. > > What I would like to change is > > - there is only 2^32 initial states This needs to be thought of as 2^32 possible _streams_ with a period of (2^19937)=E2=88=921. Offset within the stream is as important as the str= eam variation itself. > Think of a code that generates "random password string" from mt_rand. > (We know nobody should do this, but there are many codes do this) > > If password is alpha numeric+#$ and 10 chars long, there could be > 64^10 =3D 2^60 patterns with pure random. Statistical testing of MT shows it to be pretty good. The ability to recover the state from full outputs doesn't subtract from the quality of the randomness. It is absolutely not a cryptographic quality generator, but it is a high quality source of entropy. In fact state recovery is made harder in PHP because we only ever emit 31 of the 32 bits of output. This compounds over 624 outputs, and while it doesn't make it impossible to recover it adds some difficulty (especially when you don't know when the state will twist). Another factor to consider is that people discard _most_ of the output when they do things like using mt_rand to generate character strings, so an observer only sees 8 out of 32 bits per call, making state recovery exceptionally more difficult (again not knowing when the state will be mutated). > but with current mt_rand could generate only > 2^32 patterns due to mt_rand() limited state. The 2^32 vs 2^60 is a false equivalence. 2^32 is the theoretical number of unique passwords that can be generated from a freshly initialised state, while 2^60 represents the "bit strength" of a _single_ password. Even with 2^32 possible initial states every password generated will still have a bit strength of 2^60 > This is a lot less random than it could be. > > Hardening mt_rand() w/o salt value beneficial to general mt_rand() usage > also. > i.e. PHP app runs short periods of time and only use beginning of MT rand > cycle. > More than 99% random cycle is wasted currently. You can force this kind of scenario if you have for example a CLI script that generates a single password and then exits. In this case you only have 2^32 possible unique outcomes, but this is rarely the case. The MT state is per-process, not per request. If you do not explicitly re-seed it then you will continue down that 2^19937 period. So in fact it is far safer to not re-seed MT explicitly from user-land code. In most applications you cannot guarantee that your request is being served by the same process, you will never get a full outputs, and you never know your position within the state. State recovery is generally going to be infeasible, even right now without any changes.