Random values are crucial in computer programming for developing secure systems that are not vulnerable to malicious subversion. Cryptography, for example, relies on the generation or random values and their reproducibility for unpredictable output. Random values also play a fundamental role in many secure PHP applications, and many libraries and frameworks rely on them for generating tokens, salts, and as input for other functions.
A random number generator is an algorithm that generates a sequence of seemingly random numbers. The input value for initializing such an algorithm is known as the initial state, or the seed. The seed may be random data value or a known value.
In this article I’ll give you an overview of what random values are used for and why they’re important, as well as a peek under the hood of how they’re generated.
The Use of Random Values
Random values in PHP are very important as they are used for a wide variety of purposes. Secure coding practices require that certain things such as CSRF tokens, API keys, authorization nonces, password reset tokens, and other such things be created with a great amount of unpredictability. They should be created in a way that is very hard for anyone to guess.
Some of the important uses for random values are:
- Generation of salts for cryptography – A salt is a random value that is used as input to an encryption function, usually a one-way function, for hashing passwords. This random data is referred to as the initialization vector for encryption.
- Generation of unique identifiers such as Session IDs – PHP is used in the development of many great web applications that require security and persistence for the users. PHP enables building customized applications and more appealing websites with its session support which, through the use of session IDs, provides a way to preserve certain data across subsequent request.
- Generation of hard-to-guess tokens/nonces for authorization – many PHP applications are required to make API calls to other applications and systems. Such calls will often require the use of authorization tokens rather than sending user credentials over the network. Using hard-to-guess tokens is thus very important, and random values play a role in generating these tokens to ensure security.
Random Value Generation
To generate random values for such uses, PHP uses pseudo-random number generators. The algorithms available are:
- Linear Congruential Generator (LCG), used when you call the
- The Marsenne-Twister algorithm, more commonly used and is used when the
mt_rand()function is called.
rand()function which is a locally-supported C function.
These algorithms do not generate actual random numbers, but numbers which are distributed in a way that approximates real random numbers. The algorithm is seeded with a random value for generation of the pseudorandom sequence.
Seeding the Generator
Seeding is the initialization of the random number generator using a number or vector which is known as the seed. The integrity of the seed value is very important with pseudorandom generators since the same set of pseudo-random values will be generated when run multiple times with the same seed. If an attacker gets the seed, he can predict the future output sets.
In PHP, the random data for seeding the random number generator can be obtained in two ways. One way is using the
mt_srand() function to manually set the seed. This way is mainly used in legacy systems, or unit testing seemingly random series. The second way of getting the seed is to let PHP generate it automatically. This is the most preferred way and mainly used in the newer versions of PHP (4.2 and beyond). An algorithm reinitializes the seed so that the same seed is not used over and over again is used with the Mersenne Twister algorithm.
PHP uses other means of getting a high quality seed for generation of random values for use in non-trivial tasks such as encryption. The means is supplied through the operating system platform that PHP running on. Thus, PHP requires running on an operating system that supplies the initial seed.
On Linux platforms, the seed is accessed from /dev/urandom using the
openssl_pseudo_random_bytes() functions. Windows provides a cryptographically secure pseudo-random generator that can be accessed using extensions that provide the
openssl_pseudo_random_bytes() and the
Because random values are very important for security applications as well as achieving various programming tasks, the use of high-quality seeds for the generators is a factor that a programmer should always have in mind. The use of just any seed for non-trivial tasks such as password hashing may result in a high security risk. Ensure the use of strong random generators and high quality seeds.
Image via Fotolia