Hi all, On Mon, Jan 30, 2017 at 10:08 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Issues are >> - Current mt_rand() is not fully exploited. It wastes more than 99% of its >> random cycle. >> >> This was discussed in Aug last year and dropped. >> > I didn't notice the discussion, let's discuss again. > > It does not make sense to discard more than 99% of cycle. In addition, MT > rand reference implementation is capable to initialize whole state buffer, > why we shouldn't have it? > First of all, users should never use mt_rand() for any security related purposes. However, there are too many codes that use mt_rand() for the purpose. MT rand is a lot harder to predict than older predictable PRNG. Many users misunderstood it as "secure like CSPRNG" because it is advertised "very secure and hard to predict than older PRNG" too much. Attackers can get "mt_rand() generated random string" very easily on many apps. Apps generate access token by mt_rand() is just a matter of requesting proper apps' feature. e.g. password generated by mt_rand(), access token generated by mt_rand(). With ideal implementation, attackers must search random sequence from 2^19937−1 cycle, but they can guess random sequence easily because PHP's mt_rand() has only 2^32 initial states. It's far less than 1% of MT rand capability. This allows attackers to guess "mt_rand() generated random string" easily than it could be. Attackers may get victim's correct password with combination of "getting mt_rand() generated password" and "social engineering", e.g. Notify victim "Your account is compromised, please reset your password. Please make sure to use system generated strong random password". Exploiting Access token that allows access to system by itself could be even easier. Attackers generate mt_rand() created access token and guess next access token to be generated, then use the access token that is owned by poor victim. _Mainly_, it is users fault because mt_rand() should never be used for above purpose, but mt_rand() generated random string being extremely weak than it could be is our fault. Our part could be fixed by us. Let's fix it now. Lauri made patch for unseeded mt_rand(). I'll prepare patch that allows int array initialization for mt_srand() so that whole state buffer can be initialized as user specifies. void mt_srand(int|array $seed) where $seed could be $seed = [123456789, 987654321, ....]; // Up to max size of state buffer It can be said current mt_rand() is good enough for the purpose. I totally agree with this. However, I cannot agree that current mt_rand() implementation is ideal/what is should be. Any comments? Regards, -- Yasuo Ohgaki yohg...@ohgaki.net