March 3, 2017

PHP7: CSPRNG

Currently we rely on mt_rand(0,PHP_INT_MAX) for “random” numbers and the OpenSSL library bin2hex(openssl_random_pseudo_bytes(32)) for random bytes.

With PHP7 we now have a cryptographically secure pseudo-random number generator (CSPRNG) [1].

//Generates cryptographically secure pseudo-random bytes
$string = bin2hex(random_bytes(32));

Sample output: 865447fd7f3ade5a46cb39a7253d916a238420d7a18e50f83afb3a7dd0c11cb4

//Generates cryptographically secure pseudo-random integers
$integer = random_int(0, PHP_INT_MAX);

Sample output: 7499029716700637831

Using weak random values leads to weak security, possible attack surfaces or even complete compromise of a system [2]. Humans are known to be terrible in generating random numbers, because they are very predictable. This is why we need truly random values to build a secure system.

Use cases

Encryption keys
Salts
Initialization vectors
CSRF tokens
Simply something unguessable/random

Sources:

[1] https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator
[2] https://en.wikipedia.org/wiki/Random_number_generator_attack

Tags: php, php7

010100100110000101101110011001000110111101101101010000110110100101110000011010000110010101110010

About the author

human, software engineer, tech enthusiast, security researcher

E-Mail: blog@cipher.digital

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP (RSA-2048)

xsBNBFjAYL4BCACsmBS6zE+0b7mZVtQhmfnRn3+IIQfT6WlE6izM39Q42yxj
Hf2GOZU15Xc1x5RM9ZZx7HnMyTQWJMkwCzEba4Ju8dbn8gbFzLFp+mXAWQVJ
NOhsLvt58X/k1nQ3HYaYAbJPFE4k89zlFUjBG+a1Qs0kNg5RkaSTcE4iV6L4
749LYRba1VFK1p3eIFmIh1zQnzwFY1WYJjvXHURZel8MA0BJTkmfOW4MRHZL
lz8mjmTeWoRyxismRDprEtGynK7oIb3qUKAIr5MtoyESHBhVR+EpWHP0+06T
IfOsrsp8maNztXRQRKZxHzNZj/ayGpxBGO19e0/6jNpWGI5Nflwo/oHbABEB
AAHNI0RpZ2l0YWxDaXBoZXIgPGJsb2dAY2lwaGVyLmRpZ2l0YWw+wsByBBAB
CAAmBQJYwGDQBgsJCAcDAgkQMsB3T2XG/XYEFQgCCgMWAgECGwMCHgEAAOzo
B/4obbCU7u4f8kXQiaqAhSCjjyR5ZzdApPCh9i9XJ0qGTULTUuBrin1JDXSj
HoiByL2mYh92+I8S+YMWLMiTQzl9O4wx+A0eDnfwbs5jKJSQt5Pc8NMlwWKU
pG+R7escZ7le/qJYMgGPUWzFhgaKi8jueMW/NJSmPu/Tu4V9nhyxG9oaV3oP
rF+W0bekP84tDJ477clRSSK9ZzjMbLL1PWuNmCd8Gsnd3fyP1WcadIMDrnBB
sb+7AQ9eTywJ4Yzogh+cWjwy+TkkfEyCJ0X2n5WPURWc0YOFVqhcV4TYDR4v
CHSbh+r7OVKIjqdQKDJwAUCYeSkePbxJYmzRoaTd2+RgzsBNBFjAYL4BCADE
i8WrXxZWn42DlKDpnwTFBo/8asY4SJ22Zagkoj3cVvkechDWqQnWD753y5Xo
gymfPnNjoQGmClDaQoZ29kC4kHTmBPICHCCLvV/7YVCZC4WPpSnpklbllmk7
S8WTnyEm09gniGyLVy5st6MYmFDB4VnfXpzVYtpyEOyIfGV+JmuT90L872xc
+rI1/UuZA15k8M+ViD2xDlBMz3fbWxbt/KEUvbGoh2RW6SBJl1/z33ainQmO
oqygZtHhoFybqf/OUAHzASPcy+E4byWBIqwDDumKWfsd1YYkUgPMIxEvNaU3
2Olh5+2HX1y8WAf5cIfXUDfmZ88HmWVVXAK9JjztABEBAAHCwF8EGAEIABMF
AljAYNEJEDLAd09lxv12AhsMAACSqQf/Tz5KsfN3Yr82jXeO7jEWqI8yUaV2
vfK2JNfQXMIYDezIPxZU/sOOz9QF5gzHaLzt6moDQzHTZy9IE6q4l5gH1Wcm
1rX2b2b4ST3ThRzuDcfSCDZvUIAQ0WEBlXJZbCMwV8Rs5vsvv/CeXaT19zMb
CGD+23A1dKDSDmnlycCSDlTK0dc4flc8qqsMAXXtV7F370L3r76GQGj/ap57
k8K5l8VOqNCU2E8PJ1nU3Kf0fpaPJCpmDp51iZB6Ndx7ujb3qCzt5ND0Nqpz
8wuA9uuzf7LdYsz6MdDo3u8cBYeT2KA2pOA6W1SJgSx62Z4hFZxS5nseW3al
tfhqcXA+Ox3+gw==
=GS1N
-----END PGP PUBLIC KEY BLOCK-----