Randomness in PHP - Do You Feel Lucky?

This article examines the challenges of using random number generation in cryptography, highlighting the differences between PHP 5 and PHP 7. PHP 5 lacks readily available mechanisms for generating cryptographically secure random numbers, while PHP 7 introduces random_bytes and random_int functions for this purpose.

Understanding CSPRNGs

A Cryptographically Secure Pseudorandom Number Generator (CSPRNG) is a PRNG designed for cryptographic applications. Its key characteristic is high-quality randomness, crucial for:

• Key generation
• Random password creation
• Encryption algorithms

CSPRNGs in PHP 7

PHP 7 provides random_bytes (returning a string of specified byte length) and random_int (returning a random integer within a given range) for CSPRNG functionality.

random_bytes example:

<code class="language-php">$bytes = random_bytes(10);
var_dump(bin2hex($bytes));
// Possible output: string(20) "7dfab0af960d359388e6"</code>

random_int example:

<code class="language-php">var_dump(random_int(1, 100));
// Possible output: 27</code>

These functions utilize various sources of randomness depending on the operating system, prioritizing secure options like CryptGenRandom (Windows), arc4random_buf (BSD), getrandom(2) (Linux), and finally /dev/urandom as a fallback. An error is thrown if no suitable source is found.

Testing Randomness

Evaluating the quality of a random number generator involves statistical tests. A simple example is simulating dice rolls. The expected distribution of outcomes for rolling three dice 1,000,000 times can be compared to the actual results generated by random_int and the standard rand function.

A code example (simplified for brevity) and a comparative graph (shown below) demonstrate that random_int exhibits a distribution closer to the expected values, indicating superior randomness compared to rand.

PHP 5 Alternatives

PHP 5 lacks built-in CSPRNGs. Workarounds include openssl_random_pseudo_bytes(), mcrypt_create_iv(), or direct access to /dev/random or /dev/urandom. Libraries like RandomLib or libsodium offer additional solutions.

The random_compat Library

For PHP 5 compatibility, the Paragon Initiative Enterprises random_compat library provides random_bytes and random_int functionality. It can be installed via Composer (composer require paragonie/random_compat) and used as follows:

<code class="language-php">$bytes = random_bytes(10);
var_dump(bin2hex($bytes));
// Possible output: string(20) "7dfab0af960d359388e6"</code>

This library prioritizes different randomness sources compared to PHP 7, starting with /dev/urandom.

A simple password generation example using random_compat:

<code class="language-php">var_dump(random_int(1, 100));
// Possible output: 27</code>

Conclusion

Using a CSPRNG is crucial for secure applications. The random_compat library offers a backward-compatible solution for PHP 5, while PHP 7 developers should directly utilize random_bytes and random_int. Prioritizing reliable random number generation significantly enhances application security.

Further Reading

Description	Link
Die Hard Test	https://www.php.cn/link/1852a2083dbe1c2ec33ab9366feb2862
Chi-square test with dice example	https://www.php.cn/link/fb6a253729096c1e92e43c26a6fdadc3
Kolmogorov-Smirnov Test	https://www.php.cn/link/030d13e49bb7d1add5ac5ea2e4a43231
Spectral Test	https://www.php.cn/link/6bbd80b04535d39be5e02dbfd8730469
RaBiGeTe test suite	https://www.php.cn/link/e626afbcdb83368b3491c0c473da19f1
Random Number Generation In PHP (2011)	https://www.php.cn/link/f7ff233e4ed3e6b13c5d5c7a9201e4ec
Testing RNG part 1 and 2	https://www.php.cn/link/a1c71b134d46d7f7ff00f488874a8d43, https://www.php.cn/link/2e3517ba49c2a7c999b9c8381185ae4e

Acknowledgements

Thanks to Scott Arciszewski for their peer review assistance.

The above is the detailed content of Randomness in PHP - Do You Feel Lucky?. For more information, please follow other related articles on the PHP Chinese website!