2718.us blog » mt_rand http://2718.us/blog Miscellaneous Technological Geekery Tue, 18 May 2010 02:42:55 +0000 en hourly 1 http://wordpress.org/?v=3.0.4 A Variety of Issues with Pseudo-Random Numbers in PHP http://2718.us/blog/2008/08/31/a-variety-of-issues-with-pseudo-random-numbers-in-php/ http://2718.us/blog/2008/08/31/a-variety-of-issues-with-pseudo-random-numbers-in-php/#comments Mon, 01 Sep 2008 01:10:22 +0000 2718.us http://2718.us/blog/?p=106 It appears that there are now demonstrated exploits of PHP apps that use mt_rand() and/or rand() as a result of issues of seeding in one application affecting the PRNG stream in another application that used the PRNG to generate passwords or similar such things.  From mt_srand and not so random numbers:

… it is strongly recommended for the PHP developers to add more secure random number functions to the PHP core and it is strongly recommended for PHP application developers to keep their fingers away from srand() or mt_srand() and to never ever use rand() or mt_rand() for cryptographic secrets.

It sounds like the PRNGs in PHP, mt_rand() and rand(), shouldn’t be used for anything security-related, and perhaps /dev/random or /dev/srandom or some such should be used instead (though this is much more system-dependent).

]]>
http://2718.us/blog/2008/08/31/a-variety-of-issues-with-pseudo-random-numbers-in-php/feed/ 0