Ladies and gentlemen...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Ladies and gentlemen...

Post by kaisellgren »

... let me introduce you http://fi.php.net/manual/en/function.op ... -bytes.php - the damn simple way to create cryptographically strong random data. :)

There's a "strong" parameter that tells us whether a strong algorithm was used. On a Windows 7 x64, lighttpd + OpenSSL enabled developer machine, I was able to pull very high (stronger than /dev/urandom) random data and actually I don't wonder why; it polled my CryptoAPI PRNG directly. In general you will always get very strong results back (even if I shut down CSP on Windows, it uses a hash of my screen and other cool tricks). Windows, Linux, Unix, BSD's, Mac and Solaris will all provide cryptographically strong random data and in general OpenSSL should be available on web servers.

I suggest to use this function and if something went wrong (i.e. you got weak random data), notify the site admin or possibly reject further processing depending on how important the site is. This potential "weak" data (depends on platforms, different algorithms used) still seems to be always stronger than data generated with mt_rand(), for instance.

Just one more reason to use PHP 5.3. I must admit, PHP is becoming quite solid and robust package.
User avatar
omniuni
Forum Regular
Posts: 738
Joined: Tue Jul 15, 2008 10:50 pm
Location: Carolina, USA

Re: Ladies and gentlemen...

Post by omniuni »

Haha, cool. Thanks Kai!
User avatar
Peter Anselmo
Forum Commoner
Posts: 58
Joined: Wed Feb 27, 2008 7:22 pm

Re: Ladies and gentlemen...

Post by Peter Anselmo »

Good Link, Thanks.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Ladies and gentlemen...

Post by Weirdan »

Though the name is misleading: what it returns, pseudobytes? How do I convert them to normal bytes? :lol:
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Ladies and gentlemen...

Post by kaisellgren »

Yea, I would rather call it openssl_pseudo_random_bytes()... because now the random data is pseudo, not the bytes 8)
Post Reply