Better Understanding Random

Random values are crucial in computer programming for developing secure systems that are not vulnerable to malicious subversion. Cryptography, for example, relies on the generation or random values and their reproducibility for unpredictable output. Random values also play a fundamental role in many secure PHP applications, and many libraries and frameworks rely on them for generating tokens, salts, and as input for other functions.

A random number generator is an algorithm that generates a sequence of seemingly random numbers. The input value for initializing such an algorithm is known as the initial state, or the seed. The seed may be random data value or a known value.

In this article I’ll give you an overview of what random values are used for and why they’re important, as well as a peek under the hood of how they’re generated.

The Use of Random Values

Random values in PHP are very important as they are used for a wide variety of purposes. Secure coding practices require that certain things such as CSRF tokens, API keys, authorization nonces, password reset tokens, and other such things be created with a great amount of unpredictability. They should be created in a way that is very hard for anyone to guess.

Some of the important uses for random values are:

  • Generation of salts for cryptography – A salt is a random value that is used as input to an encryption function, usually a one-way function, for hashing passwords. This random data is referred to as the initialization vector for encryption.
  • Generation of unique identifiers such as Session IDs – PHP is used in the development of many great web applications that require security and persistence for the users. PHP enables building customized applications and more appealing websites with its session support which, through the use of session IDs, provides a way to preserve certain data across subsequent request.
  • Generation of hard-to-guess tokens/nonces for authorization – many PHP applications are required to make API calls to other applications and systems. Such calls will often require the use of authorization tokens rather than sending user credentials over the network. Using hard-to-guess tokens is thus very important, and random values play a role in generating these tokens to ensure security.

Random Value Generation

To generate random values for such uses, PHP uses pseudo-random number generators. The algorithms available are:

These algorithms do not generate actual random numbers, but numbers which are distributed in a way that approximates real random numbers. The algorithm is seeded with a random value for generation of the pseudorandom sequence.

Seeding the Generator

Seeding is the initialization of the random number generator using a number or vector which is known as the seed. The integrity of the seed value is very important with pseudorandom generators since the same set of pseudo-random values will be generated when run multiple times with the same seed. If an attacker gets the seed, he can predict the future output sets.

In PHP, the random data for seeding the random number generator can be obtained in two ways. One way is using the mt_srand() function to manually set the seed. This way is mainly used in legacy systems, or unit testing seemingly random series. The second way of getting the seed is to let PHP generate it automatically. This is the most preferred way and mainly used in the newer versions of PHP (4.2 and beyond). An algorithm reinitializes the seed so that the same seed is not used over and over again is used with the Mersenne Twister algorithm.

PHP uses other means of getting a high quality seed for generation of random values for use in non-trivial tasks such as encryption. The means is supplied through the operating system platform that PHP running on. Thus, PHP requires running on an operating system that supplies the initial seed.

On Linux platforms, the seed is accessed from < code>/dev/urandom using the mcrypt_create_iv() or openssl_pseudo_random_bytes() functions. Windows provides a cryptographically secure pseudo-random generator that can be accessed using extensions that provide the openssl_pseudo_random_bytes() and the mcrypt_create_iv() functions.

Conclusion

Because random values are very important for security applications as well as achieving various programming tasks, the use of high-quality seeds for the generators is a factor that a programmer should always have in mind. The use of just any seed for non-trivial tasks such as password hashing may result in a high security risk. Ensure the use of strong random generators and high quality seeds.

Image via Fotolia

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • http://blog.astrumfutura.com Patrick Brady

    Much longer and detailed chapter on randomness and its security implications can be read here: http://phpsecurity.readthedocs.org/en/latest/Insufficient-Entropy-For-Random-Values.html

    In short, for any non-trivial usage (anything that needs a random value that should never be guessable, i.e. CSRF token, nonce, API key, password reset key), you should use openssl_pseudo_random_bytes() or mcrypt_create_iv() where possible. You should never use rand(), mt_rand() or uniqid() in these cases since the seeds are weak enough that they are guessable depending on the application.

    • http://www.pixelcrayons.com/ Mark Wilston

      I appreciate that you shared a good reference here which provides more detailed information about PHP randomness and security. Thanks!

  • http://www.blogbazzar.com waqas

    I didn’t know there is so much to learn in randomness….especially in PHP thanks for detailed info…will use it for sure in next project