PHPDeveloper: PHP News, Views and Community

	News Feed
	Jobs Feed

Sections

Tutorials

Books

Events

Talks

Jobs

Recent Jobs

Dave Marshall's Blog: Competition: PHP Job Hunters Handbook up for grabs

Job Posting: LIVESTRONG.com/Demand Media Inc. Seeks Senior PHP Software Developer (Santa Monica, CA)

Job Posting: Children's Hospital Boston Seeks Open Source Web Developer (Boston, MA)

Job Posting: eReleases Seeks Zend/PHP Developer (Baltimore, MD)

Job Posting: Chegg Seeks Senior PHP Developer (Santa Clara, CA)

Job Posting: TEKSystems (Recruiter) Seeks PHP Web Application Developers (Tampa, FL)

Job Posting: Quinstreet, Inc. Seeks Sr. PHP Developer (Foster City, CA)

Job Posting: WideEye Interactive/Moroch Advertising Seeks Web Developer (Dallas, TX)

Job Posting: Project People Ltd (Recruiter) Seeks PHP Developer (Paris, France)

Job Posting: Snelling (Recruiter) Seeks Web Programmer (Boston, MA)

News Archive

ElePHPant World Tour: The Elephpant World Tour 2008 is done!

Ralph Schinder's Blog: The Semi-Official Zend Framework Pear Channel

Michael Caplan's Blog: Don't Forget to Flush

Sameer Borate's Blog: Finding if an array is ordered

Etienne Kneuss' Blog: SplObjectStorage for a fast and secure object dictionary

Matthew Turland's Blog: php|tek 2009 Hackathon

Tobias Schlitt's Blog: Webdav authentication, authorization and locking

Evert Pot's Blog: Devshed article about SQL Injection

Site News: Blast from the Past - One Year Ago in PHP

Community News: phpGG Frontend Special

feed this:

Suspekt Blog:
mt_srand and not so random numbers

by Chris Cornutt August 18, 2008 @ 13:49:31

Stefan Esser points out a problem with the mt_rand and rand methods in PHP that makes them not quite random enough for cryptographic uses.

PHP comes with two random number generators named rand() and mt_rand(). The first is just a wrapper around the libc rand() function and the second one is an implementation of the Mersenne Twister pseudo random number generator. Both of these algorithms are seeded by a single 32 bit dword when they are first used in a process or one of the seeding functions srand() or mt_srand() is called.

He looks at how its currently implemented, some examples of bad methods to get "random" numbers, how shared resources are a problem and an example of a cross-application attack (the application in more than once place using the same method for getting random numbers).

In the comments he recommends either grabbing from /dev/random (if you're on a unix-based system) or making the creation of your numbers a bit more complex to include things the outside world wouldn't know.

0 comments voice your opinion now!
mtrand random number rand cryptography problem

Community Events

Don't see your event here?
Let us know!

All content copyright, 2009 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework