Pro Yearly is on sale from $80 to $50! »

Let's Get Random - Under The Hood of PHP 7's CSPRNG - php[tek] 2018

Let's Get Random - Under The Hood of PHP 7's CSPRNG - php[tek] 2018

Talk given at php[tek] 2018

What is random? If you think about it, describing randomness is quite difficult; and so is generating random numbers for computers. If you get it wrong, you can open your app to serious security exploits.

Unfortunately true randomness is a non-trivial achievement for computers. In fact, using weak sources of randomness can leave your application open to myriad vulnerabilities. Enter: a good cryptographically secure pseudorandom number generator (CSPRNG).

We'll discuss the importance of using good sources of randomness, the CSPRNG options we had in PHP 5.x, and how the new CSPRNG functions in PHP 7 work under the hood. Learn how to get it right in this talk about PHP's cryptographically secure RNG.

8c090cc1ccd623a146ddd9159b1bf7e2?s=128

Sammy Kaye Powers

May 31, 2018
Tweet

Transcript

  1. joind.in/talk/d4f3a @SammyK #phptek PHP[TEK] 2018 Wifi: Sheraton Conference Pass: phptek2018

    Twitter: #phptek Rate the Talks https:/ /joind.in/event/phptek-2018
  2. Random Under the hood of PHP 7’s Let’s get CSPRNG

    Sammy Kaye Powers 2018-05-31
  3. joind.in/talk/d4f3a @SammyK #phptek Thanks to Our Sponsors

  4. joind.in/talk/d4f3a @SammyK #phptek Slides Get the joind.in/talk/d4f3a

  5. joind.in/talk/d4f3a @SammyK #phptek CSPRNG? What is the PHP 7

  6. joind.in/talk/d4f3a @SammyK #phptek random_int() random_bytes()

  7. joind.in/talk/d4f3a @SammyK #phptek ext/standard/random.c

  8. joind.in/talk/d4f3a @SammyK #phptek The end

  9. joind.in/talk/d4f3a @SammyK #phptek Random? What is

  10. joind.in/talk/d4f3a @SammyK #phptek

  11. joind.in/talk/d4f3a @SammyK #phptek

  12. joind.in/talk/d4f3a @SammyK #phptek

  13. joind.in/talk/d4f3a @SammyK #phptek Meaning Is there to these “random” things?

  14. joind.in/talk/d4f3a @SammyK #phptek Experiment I did an on myself

  15. joind.in/talk/d4f3a @SammyK #phptek

  16. joind.in/talk/d4f3a @SammyK #phptek 42

  17. joind.in/talk/d4f3a @SammyK #phptek

  18. joind.in/talk/d4f3a @SammyK #phptek

  19. joind.in/talk/d4f3a @SammyK #phptek

  20. joind.in/talk/d4f3a @SammyK #phptek

  21. joind.in/talk/d4f3a @SammyK #phptek

  22. joind.in/talk/d4f3a @SammyK #phptek

  23. joind.in/talk/d4f3a @SammyK #phptek

  24. joind.in/talk/d4f3a @SammyK #phptek

  25. joind.in/talk/d4f3a @SammyK #phptek Every wher

  26. joind.in/talk/d4f3a @SammyK #phptek Finish this sentence On the way home

    I got a flat ____. tire
  27. joind.in/talk/d4f3a @SammyK #phptek Think of a two-digit number both digits

    different from each other both digits odd between 1 and 100
  28. joind.in/talk/d4f3a @SammyK #phptek Are you thinking of… 37

  29. joind.in/talk/d4f3a @SammyK #phptek

  30. joind.in/talk/d4f3a @SammyK #phptek 11 random? What makes a number

  31. joind.in/talk/d4f3a @SammyK #phptek 2, 4, 6, 8, __ 10

  32. joind.in/talk/d4f3a @SammyK #phptek 1337, 42, 0, _ ?

  33. joind.in/talk/d4f3a @SammyK #phptek 1337, 42, 0, 1337, 42, 0, 1337,

    __ 42
  34. joind.in/talk/d4f3a @SammyK #phptek Random? What is isn’t Deterministic

  35. joind.in/talk/d4f3a @SammyK #phptek “True” Random Measurement of atmospheric noise Count

    of the number of electrons coming off of a radioactive material
  36. None
  37. joind.in/talk/d4f3a @SammyK #phptek Can I haz random number?

  38. joind.in/talk/d4f3a @SammyK #phptek

  39. joind.in/talk/d4f3a @SammyK #phptek

  40. joind.in/talk/d4f3a @SammyK #phptek *sigh* Take this. 42

  41. joind.in/talk/d4f3a @SammyK #phptek

  42. joind.in/talk/d4f3a @SammyK #phptek 0

  43. joind.in/talk/d4f3a @SammyK #phptek 2,4,8, 7,5,1 ?

  44. joind.in/talk/d4f3a @SammyK #phptek Number Generator …or “PRNG” for short Pseudorandom

  45. joind.in/talk/d4f3a @SammyK #phptek Pseudorandom? How’s that different than just random?

    Deterministic
  46. joind.in/talk/d4f3a @SammyK #phptek 2,4,8, 7,5,1 Generator Linear Congruential

  47. joind.in/talk/d4f3a @SammyK #phptek Generator Linear Congruential

  48. joind.in/talk/d4f3a @SammyK #phptek

  49. joind.in/talk/d4f3a @SammyK #phptek The modulus The multiplier The increment The

    seed
  50. joind.in/talk/d4f3a @SammyK #phptek

  51. joind.in/talk/d4f3a @SammyK #phptek

  52. joind.in/talk/d4f3a @SammyK #phptek 2,4,8, 7,5,

  53. joind.in/talk/d4f3a @SammyK #phptek 2,4,8, 7,5, Deterministic

  54. joind.in/talk/d4f3a @SammyK #phptek https://xkcd.com/221/

  55. joind.in/talk/d4f3a @SammyK #phptek

  56. joind.in/talk/d4f3a @SammyK #phptek

  57. joind.in/talk/d4f3a @SammyK #phptek 8,7,5, 1,2,

  58. joind.in/talk/d4f3a @SammyK #phptek 1,2,4, 8,7, BUT!

  59. joind.in/talk/d4f3a @SammyK #phptek

  60. 5,1,2,4,8,7,5, 1,2,4,8,7,5,1, 2,4,8,7,5,1,2, 4,8,7,5,1,2,4, 8,7,5,1,2,4,8, 7,5,1,2,4, Predictable

  61. joind.in/talk/d4f3a @SammyK #phptek LCG lcg_value() PHP has a combined

  62. joind.in/talk/d4f3a @SammyK #phptek PRNG? Is there a better

  63. joind.in/talk/d4f3a @SammyK #phptek Twister Mersenne mt_rand()

  64. joind.in/talk/d4f3a @SammyK #phptek

  65. mt_rand() 724937621,955931554,1407935661,821438740,109344 9922,603009103,1540988686,1028238631,798475733, 1057939018,671583233,1853117923,98760648,112245 3373,534404057,900958085,1712824654,476385742,2 9956470,362833620,424798798,746223917,942003531 ,320462445,673296853,1351199651,141566289,16454 09515,995047403,1216151582,1115999460,175322091 7,1312071810,1553254094,1622498991,2080099801,1 704834715,1537620663,1357630828,1317892558,

    219,937-1
  66. joind.in/talk/d4f3a @SammyK #phptek

  67. mt_rand(0,99) 83,9,64,28,62,48,83,47,46,53,37,26,21,91,61,32,58,1,89,60,65,97,42,56,6,47,76,1 2,98,11,36,61,62,60,43,67,6,16,73,15,39,38,56,19,66,56,98,72,91,24,57,94,8,26,7 3,55,17,14,84,89,39,11,13,48,71,98,89,63,9,95,74,9,81,85,97,24,14,14,77,22,96,4 3,61,91,61,58,19,71,8,49,18,92,38,34,9,36,91,59,14,4,58,59,29,74,52,41,36,67,82 ,67,11,0,58,51,37,4,45,56,35,50,78,91,27,39,80,27,28,95,2,82,51,72,27,41,43,74, 7,82,59,89,72,9,22,61,75,27,64,16,77,57,31,29,59,47,14,67,89,33,94,33,94,22,11, 62,9,13,61,45,78,29,3,11,99,91,52,79,63,64,43,99,53,22,16,10,53,57,15,84,16,30, 17,10,3,35,0,45,83,11,70,66,37,14,59,41,46,52,53,53,62,56,41,82,40,99,8,92,96,2 2,22,43,35,60,45,77,26,96,45,51,62,77,64,23,52,17,17,97,93,57,43,56,45,62,42,24

    ,62,1,59,38,70,13,34,32,48,47,1,42,48,18,2,59,47,53,10,3,66,68,93,4,53,85,20,77 ,63,43,45,16,15,77,73,89,11,64,76,30,46,91,1,85,96,19,63,70,62,35,58,95,63,38,7 8,83,8,97,22,2,28,51,25,29,98,62,74,59,95,79,74,66,47,35,83,56,49,25,32,25,46,1 3,69,77,30,94,24,31,68,23,64,47,28,33,65,69,16,0,98,37,85,93,60,24,10,54,50,42, 64,11,9,13,15,84,3,23,73,83,83,72,9,2,28,23,90,73,2,47,45,93,4,32,25,75,61,98,7 3,79,66,23,20,83,11,45,67,40,39,45,0,65,40,78,74,8,79,86,38,10,87,60,99,30,35,5 0,16,29,24,19,29,16,40,57,87,26,90,1,63,63,34,44,8,36,25,38,50,10,15,17,14,40,6 ,53,88,18,36,46,69,2,13,0,83,59,92,59,34,34,24,40,99,41,6,79,65,98,9,36,31,8,4, 89,98,91,80,42,10,26,72,40,50,39,25,33,45,24,70,54,89,91,53,23,12,20,40,21,25,5 5,48,11,3,84,42,5,7,21,58,85,18,52,92,94,69,20,49,3,8,55,57,4,38,52,37,64,55,82 ,98,5,75,84,35,14,99,74,23,41,69,55,53,22,52,6,68,35,38,73,52,22,52,86,79,15,38 ,3,20,99,36,23,77,33,80,16,97,54,88,11,77,77,99,70,26,5,75,87,4,23,8,50,79,61,5 5,80,25,58,79,25,56,9,81,6,42,27,90,58,6,62,74,25,79,81,61,23,54,92,53,16,66,22 ,49,77,97,84,25,49,32,49,65,51,1,93,63,68,69,67,10,44,99,44,42,89,35,24, 624 = busted
  68. echo mt_rand(0,99); 11

  69. echo mt_rand(0,99); 9

  70. echo mt_rand(0,99); 60

  71. mt_srand(10); echo mt_rand(0,99); 21

  72. mt_srand(10); echo mt_rand(0,99); 21

  73. mt_srand(10); echo mt_rand(0,99); 21

  74. joind.in/talk/d4f3a @SammyK #phptek CSRF Take for example Tokens

  75. joind.in/talk/d4f3a @SammyK #phptek Cross-site request forgery (CSRF) tokens help prevent

    unauthorized requests on a user’s behalf.
  76. joind.in/talk/d4f3a @SammyK #phptek A CSRF token must be unique and

    unpredictable.
  77. joind.in/talk/d4f3a @SammyK #phptek

  78. joind.in/talk/d4f3a @SammyK #phptek

  79. joind.in/talk/d4f3a @SammyK #phptek

  80. joind.in/talk/d4f3a @SammyK #phptek I’ll just let PHP seed mt_rand() for

    me. Bad idea jeans *Old SNL skit reference
  81. joind.in/talk/d4f3a @SammyK #phptek

  82. joind.in/talk/d4f3a @SammyK #phptek What about rand() you ask?

  83. joind.in/talk/d4f3a @SammyK #phptek Nope

  84. joind.in/talk/d4f3a @SammyK #phptek rand() mt_rand() …in PHP 7.0 & below

  85. joind.in/talk/d4f3a @SammyK #phptek rand() Uses the system PRNG (unreliable &

    inconsistent) Is a PRNG (totes predictable) Uniform distribution issues
  86. joind.in/talk/d4f3a @SammyK #phptek Uniform Distribution

  87. joind.in/talk/d4f3a @SammyK #phptek 0 0.05 0.1 0.15 0.2 1 2

    3 4 5 6
  88. joind.in/talk/d4f3a @SammyK #phptek 0 0.1 0.2 0.3 0.4 1 2

    3 4 5 6
  89. joind.in/talk/d4f3a @SammyK #phptek Uniform Distribution == True Random

  90. joind.in/talk/d4f3a @SammyK #phptek mt_rand() Implements the MT algorithm incorrectly Is

    a PRNG (totes predictable) Has a modulo bias
  91. joind.in/talk/d4f3a @SammyK #phptek Modulo Bias

  92. joind.in/talk/d4f3a @SammyK #phptek 6 % 3 = 0 8 %

    3 = 2 Modulo Operator
  93. joind.in/talk/d4f3a @SammyK #phptek Random # between 0 & 1 n

    % 2 = 0 or 1 Use mod 2
  94. joind.in/talk/d4f3a @SammyK #phptek rand_src() = 1, 2, or 3 2

    % 2 = 0 3 % 2 = 1 1 is more likely 1 % 2 = 1
  95. joind.in/talk/d4f3a @SammyK #phptek rand() mt_rand() …in PHP 7.1 & above

  96. joind.in/talk/d4f3a @SammyK #phptek mt_rand() Fixes bug in MT algorithm implementation

    Is a PRNG (totes predictable)
  97. joind.in/talk/d4f3a @SammyK #phptek They’re totes samezies! rand() mt_rand() ===

  98. joind.in/talk/d4f3a @SammyK #phptek

  99. joind.in/talk/d4f3a @SammyK #phptek rand() mt_rand() Both suffer from modulo bias

    &
  100. joind.in/talk/d4f3a @SammyK #phptek Seeds aren’t impossible to predict

  101. joind.in/talk/d4f3a @SammyK #phptek Entropy *Could be it’s own talk

  102. joind.in/talk/d4f3a @SammyK #phptek A measure of how accurately we’re able

    to predict the next value in a sequence.* * oversimplification
  103. joind.in/talk/d4f3a @SammyK #phptek High entropy harder to predict Low entropy

    easier to predict
  104. joind.in/talk/d4f3a @SammyK #phptek High entropy harder to predict Good for

    random number generation
  105. joind.in/talk/d4f3a @SammyK #phptek Cryptographically Pseudorandom Secure Number Generator

  106. joind.in/talk/d4f3a @SammyK #phptek CSPRNG or…

  107. joind.in/talk/d4f3a @SammyK #phptek “See Spring” or…

  108. Unicorn Magical

  109. Uses seeds that are really really really really ridiculously hard

    to guess
  110. joind.in/talk/d4f3a @SammyK #phptek High Entropy wee!

  111. joind.in/talk/d4f3a @SammyK #phptek impossible It’s values are to predict in

    practice 42 82 Suitable for use in cryptographic contexts.
  112. mythical Where can we find this creature?

  113. joind.in/talk/d4f3a @SammyK #phptek CSPRNG options in 5.x

  114. joind.in/talk/d4f3a @SammyK #phptek openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/urandom

  115. joind.in/talk/d4f3a @SammyK #phptek openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/urandom

  116. joind.in/talk/d4f3a @SammyK #phptek Since the UNIX fork() system call duplicates

    the entire process state, a random number generator which does not take this issue into account will produce the same sequence of random numbers in both the parent and the child […], leading to cryptographic disaster… https://wiki.openssl.org/index.php/Random_fork-safety
  117. joind.in/talk/d4f3a @SammyK #phptek OpenSSL’s be like 42 CSPRNG 82 82

  118. joind.in/talk/d4f3a @SammyK #phptek OpenSSL cannot fix the fork-safety problem because

    its not in a position to do so. However, there are [solutions] available and they are listed below. https://wiki.openssl.org/index.php/Random_fork-safety
  119. joind.in/talk/d4f3a @SammyK #phptek Don't use RAND_bytes https://wiki.openssl.org/index.php/Random_fork-safety

  120. joind.in/talk/d4f3a @SammyK #phptek Instead, you can read directly from /dev/random,

    /dev/urandom or /dev/srandom; or use CryptGenRandom on Windows systems. https://wiki.openssl.org/index.php/Random_fork-safety
  121. joind.in/talk/d4f3a @SammyK #phptek mcrypt_create_iv() /dev/urandom openssl_random_pseudo_bytes()

  122. joind.in/talk/d4f3a @SammyK #phptek

  123. joind.in/talk/d4f3a @SammyK #phptek

  124. joind.in/talk/d4f3a @SammyK #phptek

  125. joind.in/talk/d4f3a @SammyK #phptek /dev/urandom openssl_random_pseudo_bytes() mcrypt_create_iv()

  126. joind.in/talk/d4f3a @SammyK #phptek open_basedir=/foo/dir

  127. joind.in/talk/d4f3a @SammyK #phptek openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/urandom

  128. joind.in/talk/d4f3a @SammyK #phptek CSPRNG New goodness 7

  129. joind.in/talk/d4f3a @SammyK #phptek CSPRNG random_int() random_bytes()

  130. random_int(0,99) 6,17,6,9,17,53,58,98,46,44,62,9,76,65,46,21,42,5,65,34,11,96,85,7,46,89,98,9,9, 80,8,76,87,18,24,68,16,61,27,39,30,32,4,83,83,23,96,27,13,47,6,99,16,40,2,75,27 ,3,79,68,75,60,50,70,63,17,75,29,79,57,9,48,18,86,95,25,40,52,20,86,6,48,94,27, 76,14,9,27,62,14,68,58,12,18,63,19,84,47,7,13,63,28,66,55,2,75,44,92,11,85,51,1 7,42,57,22,4,53,7,3,76,48,55,95,7,45,33,87,36,11,17,66,6,46,87,57,48,22,31,65,5 ,26,10,47,82,97,74,25,32,63,60,29,53,13,24,56,54,52,86,67,4,94,35,48,73,35,45,2 4,74,74,83,49,70,41,49,20,60,29,49,30,35,38,63,4,86,72,97,26,22,36,95,59,94,24, 89,73,46,14,73,51,93,93,39,13,80,9,30,24,20,30,63,20,64,97,29,7,2,82,96,42,61,5 3,28,49,12,90,71,58,72,63,49,32,69,76,50,62,88,31,26,72,79,19,15,3,39,27,80,16,

    65,62,53,82,59,23,85,95,41,68,86,3,92,76,91,88,12,20,96,14,35,50,94,24,23,44,55 ,78,65,81,7,1,86,32,58,46,97,43,78,9,51,1,6,79,73,49,13,40,21,90,14,9,70,95,88, 37,85,14,7,29,42,55,81,46,39,41,45,81,11,93,26,89,4,98,35,30,36,74,97,18,85,97, 23,52,64,88,20,89,12,25,19,21,21,50,60,50,43,84,1,52,5,19,2,86,38,51,48,30,55,9 0,93,97,52,84,29,58,96,78,37,24,14,72,81,9,82,26,83,83,17,35,15,9,87,95,51,71,4 8,9,45,13,61,98,3,18,96,99,28,74,47,58,71,89,68,57,51,86,90,38,21,72,72,30,22,1 3,88,25,48,45,62,59,81,32,10,54,82,60,90,17,98,41,73,98,60,22,99,66,32,41,82,62 ,91,3,85,91,21,17,98,19,48,50,24,67,3,14,62,55,35,99,95,83,76,12,51,77,61,24,24 ,60,15,31,47,24,27,97,98,70,6,24,25,20,23,67,72,55,47,19,53,50,38,22,76,37,63,8 2,67,52,3,75,84,84,71,49,79,26,89,11,77,55,92,32,81,38,23,54,9,40,80,75,20,7,58 ,37,72,75,59,46,32,41,82,90,72,59,5,42,2,94,44,44,4,15,37,29,24,10,51,18,8,42,5 6,9,68,31,99,7,77,59,8,74,80,11,15,93,81,5,72,44,49,39,25,4,18,98,0,93,42,78,36 ,57,47,16,49,2,85,6,31,17,81,10,54,40,95,68,31,80,29,41,86,32,9,58,96,62,79,25, 6,45,56,54,0,61,74,90,12,34,11,56,3,41,39,84,32,30,42,81,36,43,5,
  131. joind.in/talk/d4f3a @SammyK #phptek bin2hex(random_bytes(16)) f7f5289027cb6c5116d 2d3cc78e5819c

  132. joind.in/talk/d4f3a @SammyK #phptek You’re not strong until you’re crypto-strong!

  133. CSPRNG under the hood

  134. None
  135. joind.in/talk/d4f3a @SammyK #phptek On Windows: CryptGenRandom On BSD: arc4random_buf() On

    Linux: getrandom(2) syscall Read directly from /dev/urandom
  136. Fail Closed

  137. joind.in/talk/d4f3a @SammyK #phptek /dev/urandom So what is this thing?

  138. /dev/urandom Gathers environmental noise from the system like… …device drivers,

    inter-keyboard timings, inter-interrupt timings from some interrupts, and other events which are both (a) non-deterministic and (b) hard for an outside observer to measure. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/char/random.c
  139. joind.in/talk/d4f3a @SammyK #phptek CSPRNG random_bytes() random_int() 7 /dev/urandom Powered by

  140. joind.in/talk/d4f3a @SammyK #phptek Still on 5.x? paragonie/random_compat Polyfill for PHP

    7 CSPRNG
  141. joind.in/talk/d4f3a @SammyK #phptek TL;DR Never use LCG, MT, or any

    other PRNG in cryptographic contexts Only use a CSPRNG like /dev/urandom for crypto Use random_bytes() & random_int() in PHP (or install paragonie/random_compat)
  142. joind.in/talk/d4f3a @SammyK #phptek More Resources

  143. joind.in/talk/d4f3a @SammyK #phptek Recommendation for the Entropy Sources Used for

    Random Bit Generation Final Draft - NIST SP 800-90B https://csrc.nist.gov/publications/detail/sp/800-90b/final
  144. joind.in/talk/d4f3a @SammyK #phptek New & improved man pages for /dev/urandom

    http://man7.org/linux/man-pages/man7/random.7.html
  145. joind.in/talk/d4f3a @SammyK #phptek Myths about /dev/urandom Thomas Hühn https://www.2uo.de/myths-about-urandom/

  146. joind.in/talk/d4f3a @SammyK #phptek Cracking Random Number Generators Three-part blog post

    series James Roper https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html
  147. joind.in/talk/d4f3a @SammyK #phptek How I Met Your Girlfriend DEF CON

    18 Samy Kamkar https://www.youtube.com/watch?v=fWk_rMQiDGc
  148. joind.in/talk/d4f3a @SammyK #phptek Weak RNG in PHP session ID generation

    leads to session hijacking Andreas Bogk http://seclists.org/fulldisclosure/2010/Mar/519
  149. joind.in/talk/d4f3a @SammyK #phptek

  150. joind.in/talk/d4f3a @SammyK #phptek Thanks @hfronz! ❤

  151. joind.in/talk/d4f3a @SammyK #phptek Sammy Kaye Powers Thanks! /talk/d4f3a @SammyK SammyK.me

    Host of @PHPRoundtable Thanks @hfronz! ❤