Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to understand the security of random numbers in PHP. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

1. Introduction

On the West Lake sword cup online qualifier online casino question, the plaintext attack gives / flag/seed.txt and a string code in the hint. Here, you need to be a little more thoughtful to think that seed refers to a random number seed, and that the code value on the Web page is a "random number" that changes every hour:

Using the phpmtseed tool (written in C, very fast), we can collide the seeds of random numbers according to random numbers, thus obtaining flag:

The following is the principle analysis:

2. Security defects of random numbers.

Random numbers are widely used in generating CAPTCHA, Token, key and other scenarios, which are divided into true random numbers and pseudo-random numbers. The random numbers we get through algorithms (commonly used linear congruences) and seeds (commonly used clocks) are pseudo-random numbers: when we know the seeds or generated random numbers, the sequence of random numbers can be predicted.

You can see that PHP Manual actually suggests that it is not safe to generate random numbers for encryption, but somehow this Caution only exists in the English version of PHP Manual, while the Chinese version is omitted. This may also be one of the reasons for this defect in many domestic development applications.

The functions that generate random numbers in PHP are rand () and mtrand (), which correspond to srand () and mtstrand (), respectively, which are used to sow the seeds of random numbers. We set up rand.php to test:

Execute:

It can be seen that when the seeds of random numbers are the same, the random number sequence generated by rand () or mtrand () is the same. If seed is leaked, it will lead to the leakage of random number sequence. When the seed value is fixed, such as mtsrand (1000), the random number is nonexistent, and it may not be safe to use dynamic seeds, such as:

/ / the value is small, so it traverses the blasting directly.

Mt_srand (mt_rand (0P.1000))

/ / using a public time () as a seed is as dangerous as a static seed

Mt_srand (time ())

/ / be aware that there may be a deviation in the server time when cracking, and a small range needs to be set.

Since PHP 4.2.0, the random number generator will automatically complete the sowing, no longer need to manually call srand () or mt_srand (), but this is still not safe, we discuss the two functions separately

3. Rand ()

Rand () does not automatically call srand () when generating random numbers, and the resulting sequence of random numbers can be predicted by this formula:

State [I] = state [I-3] + state [I-31]

So we can collect more than 32-bit random sequences generated by rand () to predict the following random sequences.

Detailed reference: Cracking-Php-Rand

(http://www.sjoerdlangkemper.nl/2016/02/11/cracking-php-rand/)

And under some platforms, the maximum value of rand () is 32767, which is very vulnerable to blasting.

4. Mt_rand ()

The average speed of generating random values based on PHP Manual,mtrand () is four times faster than the rand () provided by libc. The rand () function uses the libc random number generator by default, and the mtrand () function is used informally to replace it.

The main security flaw of the mtrand () function is that the so-called "automatic sowing" means that PHP will only sow once in the same request process, that is, even if the mtrand () function is called multiple times, random numbers will only be generated based on the seeds sown for the first time. The proof of this conclusion can be done by analyzing the source code of mt_rand () or writing a small script test, instead of expanding it, the core implementation code of the function is this part:

PHPAPI void php_mt_srand (uint32_t seed)

{

/ * Seed the generator with a simple uint32 * /

Php_mt_initialize (seed, BG (state))

Php_mt_reload ()

/ * Seed only once * /

BG (mt_rand_is_seeded) = 1

}

/ *}}

/ * {php_mt_rand

, /

PHPAPI uint32_t php_mt_rand (void)

{

/ * Pull a 32-bit integer from the generator state

Every other access function simply transforms the numbers extracted here * /

Register uint32_t s1

If (UNEXPECTED (! BG (mt_rand_is_seeded) {

Php_mt_srand (GENERATE_SEED ())

}

If (BG (left) = = 0) {

Php_mt_reload ()

}

-- BG (left)

S1 = * BG (next) + +

S1 ^ = (S1 > > 11)

S1 ^ = (S1 18))

}

Since the calculation of generating random number sequence according to seed is not reversible, the effective cracking method should be to exhaust the seed and generate random number sequence and compare it with known random number (sequence), which is also the implementation logic of the phpmtseed tool mentioned at the beginning of the article.

5. Safety recommendations

When it comes to sensitive operations such as encryption / permissions / CSRF Token:

Do not use the time function as a seed or directly as a random number: time () / microtime ()

Do not directly use weak pseudorandom number generators such as rand () ``mt_rand ()

Random numbers should be long enough to defend against violent cracking.

The above is how to understand the security of random numbers in PHP. If you happen to have similar doubts, you might as well refer to the above analysis. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.