First, I want to ask: Does anyone else think we should draw a distinction between RNGs and CSPRNGs?
I ask this because the OpenSSL option here is the only CSPRNG; The others are trivially breakable and should not be used for cryptographic applications. I could see an argument for wanting to use them in non-security contexts but I'm wondering if the API should make it clear when that is being done. Secondly, a good place to look for defining a standard secure CSPRNG is FIPS 1402 Annex C (csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf) Bryan -----Original Message----- From: Marc Bennewitz [mailto:p...@marc-bennewitz.de] Sent: Friday, August 30, 2013 2:59 PM To: internals@lists.php.net Subject: Re: [PHP-DEV] More powerful (and backward compatible) API of random number generator functions Am 30.08.2013 04:30, schrieb Yasuo Ohgaki: > On Thu, Aug 29, 2013 at 9:00 PM, Ángel González <keis...@gmail.com> wrote: > >> Marc Bennewitz wrote: >> >>> Idea for an RFC for a more powerful (and backward compatible) API of >>> random number generator functions. >>> >>> The following psaudocode is self explained (hopfully) >>> >>> const RAND_ALGO_LIBC >>> const RAND_ALGO_MERSENNE_TWISTER >>> const RAND_ALGO_OPENSSL >>> const RAND_ALGO_GMP >>> >> (...) >> >>> What do you think? >>> >> >> Why do you want them? > > > This proposal is good because we need the best random function > available in a system with easy to use API. I would like to see the > best algorithm in a system as default. > Defining the "best" algorithm as the standard default would be great but what is the best algorithm? Some are fast but less secure and other are more secure but slow. Some times ago i read a feature request to implement the mersenne twister algorithm for rand/shuffle/array_rand but this was closed because it would be a bc break. (can't find it new). Best Regards Marc -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
