News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Suspekt Blog:
mt_srand and not so random numbers
August 18, 2008 @ 13:49:31

Stefan Esser points out a problem with the mt_rand and rand methods in PHP that makes them not quite random enough for cryptographic uses.

PHP comes with two random number generators named rand() and mt_rand(). The first is just a wrapper around the libc rand() function and the second one is an implementation of the Mersenne Twister pseudo random number generator. Both of these algorithms are seeded by a single 32 bit dword when they are first used in a process or one of the seeding functions srand() or mt_srand() is called.

He looks at how its currently implemented, some examples of bad methods to get "random" numbers, how shared resources are a problem and an example of a cross-application attack (the application in more than once place using the same method for getting random numbers).

In the comments he recommends either grabbing from /dev/random (if you're on a unix-based system) or making the creation of your numbers a bit more complex to include things the outside world wouldn't know.

0 comments voice your opinion now!
mtrand random number rand cryptography problem


blog comments powered by Disqus

Similar Posts

Lorenzo Alberton's Blog: PEAR::Pager Tutorials

DevShed: Developing a Captcha Application with an Image Generator Class with PHP 5

Three Devs & A Maybe Podcast: Episode #51: Midweek Random Rambles

Eirik Hoem's Blog: Array problems with SOAP and PHP - Updated

Timoh's Blog: Secure random numbers for PHP developers


Community Events

Don't see your event here?
Let us know!


interview introduction extension api release podcast conference framework performance example version laravel community series php7 voicesoftheelephpant symfony2 library xdebug opinion

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework