Shulou(Shulou.com)06/03 Report--

This article introduces the relevant knowledge of "how to understand the randomness function in PHP". In the actual case operation process, many people will encounter such difficulties. Next, let Xiaobian lead you to learn how to deal with these situations! I hope you can read carefully and learn something!

What is CSPRNG?

A cryptographically secure pseudorandom number generator (CSPRNG) is a pseudorandom number generator (PRNG) that generates pseudorandom numbers suitable for use in cryptographic algorithms.

CSPRNG may be used primarily for:

Key generation (e.g., generating complex keys)

Generate random passwords for new users

encryption system

A key aspect of achieving a high level of security is high quality randomness

CSPRNG in PHP7

PHP 7 introduces two new functions that can be used to implement CSPRNG: random_bytes and random_int.

The random_bytes function returns a string that takes an int as an input representing the number of bytes returned.

Examples:

$bytes = random_bytes('10');var_dump(bin2hex($bytes));//possible ouput: string(20) "7dfab0af960d359388e6"

The random_int function returns an int-type number in the specified range.

Examples:

var_dump(random_int(1, 100));//possible output: 27

III. Background operating environment

The randomness of the above functions varies depending on the environment:

CryptGenRandom() is always used on the window.

On other platforms, arc4random_buf() is used if available (true on BSD series or systems with libbsd)

If none of the above is true, a linux system call getrandom(2) is used.

If not,/dev/urandom will be used as the last available tool.

If none of the above works, the system throws an error.

A simple test.

A good random number generation system guarantees proper generation "quality." To check this quality, a series of statistical tests is usually performed. Without delving into complex statistical topics, comparing a known behavior with the results of a number generator can help with quality evaluation.

A simple test is the dice game. Assuming that the probability of rolling one die once to get 6 is 1/6, then if I roll three dies 100 times at the same time, the rough result is as follows:

0 6 = 57.9

1 6 = 34.7

2 6 = 6.9 times

3 6 = 0.5 times

Here is the code to roll the dice 1,000,000 times:

$times = 1000000;$result = [];for ($i=0; $i 0); //initializes just the six counting to zero $dieRoll[roll()] += 1; //first die $dieRoll[roll()] += 1; //second die $dieRoll[roll()] += 1; //third die $result[$dieRoll[6]] += 1; //counts the sixes}function roll(){ return random_int(1,6);}var_dump($result);

Using random_int in PHP7 and a simple rand function might yield the following result

If we first see a better comparison between rand and random_int we can apply a formula to plot the result on the graph. The formula is: (php result-expected result)/expected result to the power of 0.5.

The results are as follows:

(A value closer to 0 is better)

Even though the results of 3 6's do not perform well, and this test is too simple for practical use, we can still see that random_int performs better than rand.

Further, the security level of our application is enhanced by the unpredictability and repeatable behavior of the random number generator.

PHP5?

By default, PHP5 does not provide a robust random number generator. In fact, there are options such as openssl_random_pseudo_bytes(), mcrypt_create_iv() or simply using the free () function to use/dev/random or/dev/urrandom devices. There are also packages like Random Lib or libsodium.

If you want to start using a better random number generator and are ready to use PHP7 at the same time, you can use the Paragon Initiative Enterprises random_compat library. random_compat library allows you to use random_bytes() and random_int() in PHP 5.x project.

This library can be installed via Composer:

composer require paragonie/random_compatrequire 'vendor/autoload.php';$string = random_bytes(32);var_dump(bin2hex($string));// string(64) "8757a27ce421b3b9363b7825104f8bc8cf27c4c3036573e5f0d4a91ad2aaec6f"$int = random_int(0,255);var_dump($int);// int(81)

Random_compat library and PHP7 use different order:

fread() /dev/urandom if availablemcrypt_create_iv($bytes, MCRYPT_CREATE_IV)COM('CAPICOM.Utilities.1')->GetRandom()openssl_random_pseudo_bytes()

A simple application of this library is used to generate passwords:

$passwordChar = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';$passwordLength = 8;$max = strlen($passwordChar) - 1;$password = '';for ($i = 0; $i < $passwordLength; ++$i) { $password .= $passwordChar[random_int(0, $max)];}echo $password;//possible output: 7rgG8GHU"How to understand random functions in PHP" content introduced here, thank you for reading. If you want to know more about industry-related knowledge, you can pay attention to the website. Xiaobian will output more high-quality practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.