About the random bytes generator

Question

About the random bytes generator

ivantcholakov opened this issue 10 years ago · 4 comments

Line 116:

$rawBinary = mcrypt_create_iv($numInts * PHP_INT_SIZE, MCRYPT_DEV_URANDOM);

This is a dependency on mcrypt PHP extension. What about making random bytes generation more tollerant to system configuration? I found this: https://github.com/GeorgeArgyros/Secure-random-bytes-in-PHP

Answer 1 · 2014-12-21T16:31:21.000Z

The best you can do in PHP is to try:

Use mcrypt
Use openssl
Read directly from /dev/urandom

I might consider doing a second (separate) library that safely tries each of these, but for now it's as easy as apt-get install php5-mcrypt.

Answer 2 · 2016-02-03T19:53:37.000Z

that library already exists: https://github.com/ircmaxell/RandomLib
no point invent another one

Answer 3 · 2017-01-23T18:15:02.000Z

random_bytes() function could be used. For PHP 5.x the polyfill https://github.com/paragonie/random_compat could be proposed for installation through Composer.

Answer 4 · 2017-04-20T10:23:12.000Z

Given the way that random_int works, am I right in thinking that it would actually make most of this library redundant? It seems to use a technique very similar to the one used in this library to be able to pick an un-biased int value between a min (e.g. 0) and max (e.g. character array length - 1).

With that in mind, the implementation of this library could be simplified all the way down to getting a random_int between 0 and N-1, and using the character at that index to build a string of the requested length.