Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:97986 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 72255 invoked from network); 27 Jan 2017 14:32:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Jan 2017 14:32:36 -0000 Authentication-Results: pb1.pair.com header.from=lauri.kentta@gmail.com; sender-id=softfail Authentication-Results: pb1.pair.com smtp.mail=lauri.kentta@gmail.com; spf=softfail; sender-id=softfail Received-SPF: softfail (pb1.pair.com: domain gmail.com does not designate 178.62.210.197 as permitted sender) X-PHP-List-Original-Sender: lauri.kentta@gmail.com X-Host-Fingerprint: 178.62.210.197 k-piste.dy.fi Received: from [178.62.210.197] ([178.62.210.197:35714] helo=k-piste.dy.fi) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 38/A7-28703-20A5B885 for ; Fri, 27 Jan 2017 09:32:35 -0500 Received: from localhost.localdomain ([::1] helo=k-piste.dy.fi) by k-piste.dy.fi with esmtp (Exim 4.88) (envelope-from ) id 1cX7Xj-00015S-51; Fri, 27 Jan 2017 16:30:23 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Fri, 27 Jan 2017 16:30:23 +0200 To: Leigh Cc: Yasuo Ohgaki , Niklas Keller , Nikita Popov , internals@lists.php.net In-Reply-To: References: <71c26cd6df6f59e76dafd31647852c2e@koti.fimnet.fi> <142a3537a99809cf23d78e0eaadc3aef@gmail.com> <7a359bb08b0ad8b046534c15492cec91@gmail.com> <8cfe7a3ea5a05fc3e5347e9af848ada0@gmail.com> Message-ID: <1913d779b7954d5c099ed66821cb299c@gmail.com> X-Sender: lauri.kentta@gmail.com User-Agent: Roundcube Webmail/1.2.3 Subject: Re: [PHP-DEV] Re: Improving mt_rand() seed From: lauri.kentta@gmail.com (=?UTF-8?Q?Lauri_Kentt=C3=A4?=) On 2017-01-27 12:58, Leigh wrote: > On 27 January 2017 at 02:52, Yasuo Ohgaki wrote: >> Since mt_rand is predictable PRNG, there is possibility to be known to >> attackers always. >> >> What I would like to change is >> >> - there is only 2^32 initial states > > This needs to be thought of as 2^32 possible _streams_ with a period > of (2^19937)−1. Offset within the stream is as important as the stream > variation itself. This is not true. There is one stream of period (2^19937)−1, and the initial state defines the current position in that stream. > Statistical testing of MT shows it to be pretty good. The ability to > recover the state from full outputs doesn't subtract from the quality > of the randomness. It is absolutely not a cryptographic quality > generator, but it is a high quality source of entropy. Do not confuse entropy and randomness. Entropy is true randomness, as can be seen in /dev/random. There is no deterministic algorithm for generating more entropy, so MT or even a CSPRNG has exactly as much entropy as the seed contains. > Even with 2^32 possible initial states every > password generated will still have a bit strength of 2^60 If the attacker knows the algorithm, the bit strength is only 2^32. The remaining 2^28 comes from security through obscurity, which is not a generally valid real security thing. Anyway, a password should be better generated with CSPRNG, not MT, so "hardening" MT is totally irrelevant. -- Lauri Kenttä