CSPRNG function in PHP

This article mainly introduces the CSPRNG function in PHP. Interested friends can refer to it. I hope it will be helpful to everyone.

1. What is CSPRNG

Quoting Wikipedia, a cryptographically secure pseudo-random number generator (Cryptographically Secure Pseudorandom Number Generator, abbreviated CSPRNG) is a pseudo-random number generator. Random number generator (PRNG), which generates pseudo-random numbers suitable for cryptographic algorithms.

CSPRNG may be mainly used for:

• Key generation (for example, generating complex keys)

• Generate random passwords for new users

• Encryption system

Get A key aspect of high-level security is high-quality randomness

2. CSPRNG in PHP7

PHP 7 introduces two new functions that can be used to implement CSPRNG: random_bytes and random_int.

random_bytes function returns a string and accepts an int input parameter representing the number of bytes of the returned result.

Example:

$bytes = random_bytes('10');
var_dump(bin2hex($bytes));
//possible ouput: string(20) "7dfab0af960d359388e6"

random_int function returns an int number within the specified range.

Example:

var_dump(random_int(1, 100));
//possible output: 27

##3. Background running environment

The randomness of the above functions varies depending on the environment:

• On windows, CryptGenRandom() is always used.
  

• On other platforms, arc4random_buf() will be used if available (established on BSD series or systems with libbsd)
  

• If none of the above is true, a Linux system call getrandom(2) will be used.
  

• If not, /dev/urandom will be used as the last available tool
  

• If none of the above works, the system will throw an error

##4. A simple test

A good random number generation system ensures appropriate generation "quality". To check this quality, a series of statistical tests are usually performed. Without delving into complex statistics topics, comparing a known behavior to the results of a number generator can help with quality assessment.

A simple test is the dice game. Assume that the probability of rolling a dice once to get a result of 6 is 1/6, then if I roll 3 dice at the same time 100 times, the result will be roughly as follows:

0 6 = 57.9 times

1 6 = 34.7 times

2 6s = 6.9 times
3 6s = 0.5 times
The following is the code to implement rolling dice 1,000,000 times:

$times = 1000000;
$result = [];
for ($i=0; $i<$times; $i++){
  $dieRoll = array(6 => 0); //initializes just the six counting to zero
  $dieRoll[roll()] += 1; //first die
  $dieRoll[roll()] += 1; //second die
  $dieRoll[roll()] += 1; //third die
  $result[$dieRoll[6]] += 1; //counts the sixes
}
function roll(){
  return random_int(1,6);
}
var_dump($result);

Using PHP7's random_int and simple rand function may get the following results

If you see rand and random_int first, more For a good comparison we can apply a formula and plot the results on a graph. The formula is: (php result-expected result)/expected result raised to the 0.5 power.

The result graph is as follows:

(values ​​close to 0 are better)

Although the results of 3 6's do not perform well, and This test is too simple for practical applications. We can still see that random_int performs better than rand.

Furthermore, the security level of our application is due to the unpredictability and repeatable behavior of the random number generator. promote.

Summary: The above is the entire content of this article, I hope it will be helpful to everyone's study.

Related recommendations:

Execution Cycle Example Analysis of PHP Principles

##Detailed explanation of PHP source code directory structure and function description

##PHP modular installation detailed step-by-step tutorial

##

The above is the detailed content of CSPRNG function in PHP. For more information, please follow other related articles on the PHP Chinese website!