PHP and .NET, Secure RndNum Generation using DOTNET class

Alright this one has been doing my head in, I’m trying to use a .NET component for creating a secure random number, that is cryptographically secure. The functions built into PHP (rand and mt_rand) are not secure enough. There used to be a COM Object in Windows that would have worked, except its been removed from Windows 7. So now I’m turning my gaze to .NET which offers a class just for this.

System.Security.Cryptography.RNGCryptoServiceProvider

Getting this loaded up with PHP is the easy part no problem there. The issue is calling “GetBytes” which wants a Byte array (System.Byte[]) which PHP has no type for that other then array. Attempted to use Variant which doesn’t work. I’m going to assume there is actually no way to do this…


$bytes = ...something...;
$random = new DOTNET( "mscorlib", "System.Security.Cryptography.RNGCryptoServiceProvider" );
$random->GetBytes( $bytes );

I am wanting to avoid having to create my own .NET class to play middle-man. However, that just might be what I’ll have to do. :confused: If anyone has an suggestions or a any alternative ideas on getting a secure Random Number generator that is cryptographically secure.

  • I suppose I could also install and register the old COM object that was removed, when I have that level of access to a server. Not always the case…

On a side note, it would be nice if the PHP team exposed the Windows CryptoAPI they are using when you configure Sessions to use it.

session.entropy_file string[I]

session.entropy_file[/I] gives a path to an external resource (file) which will be used as an additional entropy source in the session id creation process. Examples are /dev/random or /dev/urandom which are available on many Unix systems. This feature is supported on Windows since PHP 5.3.3. Setting session.entropy_length to a non zero value will make PHP use the Windows Random API as entropy source.
That would make this so much easier! :injured:

Not exactly a solution LE, but as a Byte Array is just an array of Bytes


Array
(
    [0] => 97
    [1] => 98
    [2] => 99
    [3] => 100
    [4] => 101
    [5] => 102
    [6] => 103
    [7] => 104
    [8] => 105
    [9] => 106
    [10] => 107
    [11] => 108
    [12] => 109
    [13] => 110
    [14] => 111
    [15] => 112
    [16] => 113
    [17] => 114
    [18] => 115
    [19] => 116
    [20] => 117
    [21] => 118
    [22] => 119
    [23] => 120
    [24] => 121
    [25] => 122
)

Could you not pass the following string to RNGCryptoServiceProvider::GetBytes ?


97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122

Or add a method to RNGCryptoServiceProvider to convert this string into a native Byte array ?

Sorry, I missed this.

I wonder if you can use some element of PHP’s crypt library LE ? [fphp]mcrypt_create_iv[/fphp] maybe?

Hmmm well, completely passed me by to look at mcrypt. I’ll take a look at the source code of mcrypt to see whats it is doing on Windows. Heres hoping it uses the CryptoAPI. XD

  • Edit. Well well it does indeed use the CryptoAPI :smiley: mcrypt_create_iv looking to be a lot better then my lame “random” function. And still portable to UNIX/LINUX systems as well. Yays. XD

Great news, I’m glad you sorted it.