Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let's get random: Under the hood of PHP 7's CSP...

Avatar for SammyK SammyK
October 17, 2018
Programming
0
1.6k

Let's get random: Under the hood of PHP 7's CSPRNG - ZendCon & OpenEnterprise 2018

Talk given at ZendCon & OpenEnterprise 2018

Randomness is really important in many cryptographic contexts. Unfortunately, true randomness is a non-trivial achievement for computers. In fact, using weak sources of randomness can leave your application open to myriad vulnerabilities. Enter a good cryptographically secure pseudorandom number generator (CSPRNG).

We’ll discuss the importance of using good sources of randomness, the CSPRNG options we had in PHP 5, and how the new-goodness CSPRNG functions in PHP 7 work under the hood.
Avatar for SammyK

SammyK

October 17, 2018
Tweet

More Decks by SammyK

See All by SammyK
Going Bare - Writing The Web Without A Framework - Longhorn PHP 2019
Avatar for SammyK sammyk
1
1.2k
Going bare - writing the web without a framework - php[world] 2018
Avatar for SammyK sammyk
0
680
The Debug Dance - An Intro To Step Debugging - php[world] 2018
Avatar for SammyK sammyk
0
1.4k
The debug dance: An intro to step debugging - ZendCon & OpenEnterprise 2018
Avatar for SammyK sammyk
1
450
Going Bare - Writing the web without a framework - Cascadia PHP 2018
Avatar for SammyK sammyk
0
690
Let's Get Random - Under The Hood of PHP 7's CSPRNG - php[tek] 2018
Avatar for SammyK sammyk
0
270
Writing Tests For PHP Source - ZendCon 2017
Avatar for SammyK sammyk
1
1.7k
Going Bare - Writing the web without a framework - ZendCon 2017
Avatar for SammyK sammyk
2
490
Bringing Old Legacy Apps To PHP 7 and Beyond - PNWPHP 2017
Avatar for SammyK sammyk
0
2k

Other Decks in Programming

See All in Programming
Serving TUIs over SSH with Go
Avatar for Carlos Alexandro Becker caarlos0
0
800
CRUD から CQRS へ ~ 分離が可能にする柔軟性
Avatar for Takashi Kawae tkawae
0
180
Designing Your Organization's Test Pyramid ( #scrumniigata )
Avatar for teyamagu teyamagu
PRO
5
1.7k
ぽちぽち選択するだけでOSSを読めるVSCode拡張機能
Avatar for Kazuya Kurihara ymbigo
14
6.6k
Global Azure 2025 @ Kansai / Hyperlight
Avatar for kosmosebi kosmosebi
0
170
Rubyの!メソッドをちゃんと理解する
Avatar for Yuto Urushima alstrocrack
2
380
私のRubyKaigi 2025 Kaigi Effect / My RubyKaigi 2025 Kaigi Effect
Avatar for chobishiba chobishiba
1
180
型安全なDrag and Dropの設計を考える
Avatar for yudppp yudppp
4
320
iOSアプリで測る!名古屋駅までの 方向と距離
Avatar for Ryu-nakayama ryunakayama
0
160
Doma で目指す ORM 最適解
Avatar for Toshihiro Nakamura nakamura_to
0
110
20250429 - CNTUG Meetup #67 / DevOps Taiwan Meetup #69 - Deep Dive into Tetragon: Building Runtime Security and Observability with eBPF
Avatar for ChengHao Yang tico88612
0
190
VibeCoding時代のエンジニアリング
Avatar for どすこい daisuketakeda
0
270

Featured

See All Featured
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.2k
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
6
560
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
29
1.7k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
8
720
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
PRO
19
1.2k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
299
50k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
63
7.7k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k
Gamification - CAS2011
Avatar for David Bonilla davidbonilla
81
5.3k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
34
2.2k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
14
860
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
331
21k

Transcript

  1. Random Under the hood of PHP 7’s Let’s get CSPRNG

    Sammy Kaye Powers Las Vegas, NV - 2018

  2. joind.in/talk/0e3b7 @SammyK #zcoe18 Slides Get the joind.in/talk/0e3b7

  3. joind.in/talk/0e3b7 @SammyK #zcoe18 CSPRNG? What is the PHP 7

  4. joind.in/talk/0e3b7 @SammyK #zcoe18 random_int() random_bytes()

  5. joind.in/talk/0e3b7 @SammyK #zcoe18 ext/standard/random.c

  6. joind.in/talk/0e3b7 @SammyK #zcoe18 The end

  7. joind.in/talk/0e3b7 @SammyK #zcoe18 Random? What is

  8. Red Yellow White Red Yellow White Red Yellow White Period:

    3

  9. Jingle all the way, Oh what fun it is to

    ride In a one-horse open sleigh Predictable seed Jingle bells, jingle bells

  10. 74, 105, 110, 103, 108, 101, 32, 97, 108, 108,

    32, 116, 104, 101, 32, 119, 97, 121, 44 Random, right?

  11. ASCII

  12. 74, 105, 110, 103, 108, 101, 32, chr() J, i,

    n, g, l, e, ,

  13. 97, 108, 108, 32, What’s the next word? a, l,

    l, ,

  14. 116, 104, 101, 32, t, h, e, ,

  15. 74, 105, 110, 103, 108, 101, 32, 97, 108, 108,

    32, Random, right? 116, 104, 101, 32, nope!

  16. Felt? Remember how we

  17. 74, 105, 110, 103, 108, 101, 32, 97, 108, 108,

    32, 116, 104, 101, 32, 119, 97, 121, 44 What’s the meaning? ASCII codes! Ah, right. Carry on then. Deterministic

  18. joind.in/talk/0e3b7 @SammyK #zcoe18 Why did we think

  19. joind.in/talk/0e3b7 @SammyK #zcoe18 •Think of a two-digit number •Between one

    and one hundred •Both digits odd •Both digits different

  20. joind.in/talk/0e3b7 @SammyK #zcoe18 Are you thinking of… 37

  21. joind.in/talk/0e3b7 @SammyK #zcoe18 Humans are bad at being random

  22. joind.in/talk/0e3b7 @SammyK #zcoe18 Environment Can we use our to make

    better random numbers?

  23. joind.in/talk/0e3b7 @SammyK #zcoe18 Time? Maybe the

  24. joind.in/talk/0e3b7 @SammyK #zcoe18 12:00, 12:01, 12:02, 12:03, 12:04, 12:05, 12:06,

    12:07, 12:08, 12:09, 12:10, 12:11, 12:12, 12:13, 12:14, 12:15, 12:16, 12:17, 12:18, 12:19, 12:20, 12:21, 12:22, 12:23, 12:24, 12:25, 12:26, 12:27, 12:28, 12:29, 12:30, 12:31, 12:32, 12:33, 12:34, 12:35, 12:36, 12:37, 12:38, 12:39, 12:40, 12:41, 12:42, 12:43, 12:44, 12:45, 12:46, 12:47, 12:48, 12:49, 12:50, 12:51, 12:52, 12:53, 12:54, 12:55, 12:56, 12:57, 12:58, 12:59, 1:00, 1:01, 1:02, 1:03, 1:04, 1:05, 1:06, 1:07, 1:08, 1:09, 1:10, 1:11, 1:12, 1:13, 1:14, 1:15, 1:16, 1:17, 1:18, 1:19, 1:20, 1:21, 1:22, 1:23, 1:24, 1:25, 1:26, 1:27, 1:28, 1:29, 1:30, 1:31, 1:32, 1:33, 1:34, 1:35, 1:36, 1:37, 1:38, 1:39, 1:40, 1:41, 1:42, 1:43, 1:44, 1:45, 1:46, 1:47, 1:48, 1:49, 1:50, 1:51, 1:52, 1:53, 1:54, 1:55, 1:56, 1:57, 1:58, 1:59, 2:00, 2:01, 2:02, 2:03, 2:04, 2:05, 2:06, 2:07, 2:08, 2:09, 2:10, 2:11, 2:12, 2:13, 2:14, 2:15, 2:16, 2:17, 2:18, 2:19, 2:20, 2:21, 2:22, 2:23, 2:24, 2:25, 2:26, 2:27, 2:28, 2:29, 2:30, 2:31, 2:32, 2:33, 2:34, 2:35, 2:36, 2:37, 2:38, 2:39, 2:40, 2:41, 2:42, 2:43, 2:44, 2:45, 2:46, 2:47, 2:48, 2:49, 2:50, 2:51, 2:52, 2:53, 2:54, 2:55, 2:56, 2:57, 2:58, 2:59, 3:00, 3:01, 3:02, 3:03, 3:04, 3:05, 3:06, 3:07, 3:08, 3:09, 3:10, 3:11, 3:12, 3:13, 3:14, 3:15, 3:16, 3:17, 3:18, 3:19, 3:20, 3:21, 3:22, 3:23, 3:24, 3:25, 3:26, 3:27, 3:28, 3:29, 3:30, 3:31, 3:32, 3:33, 3:34, 3:35, 3:36, 3:37, 3:38, 3:39, 3:40, 3:41, 3:42, 3:43, 3:44, 3:45, 3:46, 3:47, 3:48, 3:49, 3:50, 3:51, 3:52, 3:53, 3:54, 3:55, 3:56, 3:57, 3:58, 3:59, 4:00, 4:01, 4:02, 4:03, 4:04, 4:05, 4:06, 4:07, 4:08, 4:09, 4:10, 4:11, 4:12, 4:13, 4:14, 4:15, 4:16, 4:17, 4:18, 4:19, 4:20, 4:21, 4:22, 4:23, 4:24, 4:25, 4:26, 4:27, 4:28, 4:29, 4:30, 4:31, 4:32, 4:33, 4:34, 4:35, 4:36, 4:37, 4:38, 4:39, 4:40, 4:41, 4:42, 4:43, 4:44, 4:45, 4:46, 4:47, 4:48, 4:49, 4:50, 4:51, 4:52, 4:53, 4:54, 4:55, 4:56, 4:57, 4:58, 4:59, 5:00, 5:01, 5:02, 5:03, 5:04, 5:05, 5:06, 5:07, 5:08, 5:09, 5:10, 5:11, 5:12, 5:13, 5:14, 5:15, 5:16, 5:17, 5:18, 5:19, 5:20, 5:21, 5:22, 5:23, 5:24, 5:25, 5:26, 5:27, 5:28, 5:29, 5:30, 5:31, 5:32, 5:33, 5:34, 5:35, 5:36, 5:37, 5:38, 5:39, 5:40, 5:41, 5:42, 5:43, 5:44, 5:45, 5:46, 5:47, 5:48, 5:49, 5:50, 5:51, 5:52, 5:53, 5:54, 5:55, 5:56, 5:57, 5:58, 5:59, 6:00, 6:01, 6:02, 6:03, 6:04, 6:05, 6:06, 6:07, 6:08, 6:09, 6:10, 6:11, 6:12, 6:13, 6:14, 6:15, 6:16, 6:17, 6:18, 6:19, 6:20, 6:21, 6:22, 6:23, 6:24, 6:25, 6:26, 6:27, 6:28, 6:29, 6:30, 6:31, 6:32, 6:33, 6:34, 6:35, 6:36, 6:37, 6:38, 6:39, 6:40, 6:41, 6:42, 6:43, 6:44, 6:45, 6:46, 6:47, 6:48, 6:49, 6:50, 6:51, 6:52, 6:53, 6:54, 6:55, 6:56, 6:57, 6:58, 6:59, 7:00, 7:01, 7:02, 7:03, 7:04, 7:05, 7:06, 7:07, 7:08, 7:09, 7:10, 7:11, 7:12, 7:13, 7:14, 7:15, 7:16, 7:17, 7:18, 7:19, 7:20, 7:21, 7:22, 7:23, 7:24, 7:25, 7:26, 7:27, 7:28, 7:29, 7:30, 7:31, 7:32, 7:33, 7:34, 7:35, 7:36, 7:37, 7:38, 7:39, 7:40, 7:41, 7:42, 7:43, 7:44, 7:45, 7:46, 7:47, 7:48, 7:49, 7:50, 7:51, 7:52, 7:53, 7:54, 7:55, 7:56, 7:57, 7:58, 7:59, 8:00, 8:01, 8:02, 8:03, 8:04, 8:05, 8:06, 8:07, 8:08, 8:09, 8:10, 8:11, 8:12, 8:13, 8:14, 8:15, 8:16, 8:17, 8:18, 8:19, 8:20, 8:21, 8:22, 8:23, 8:24, 8:25, 8:26, 8:27, 8:28, 8:29, 8:30, 8:31, 8:32, 8:33, 8:34, 8:35, 8:36, 8:37, 8:38, 8:39, 8:40, 8:41, 8:42, 8:43, 8:44, 8:45, 8:46, 8:47, 8:48, 8:49, 8:50, 8:51, 8:52, 8:53, 8:54, 8:55, 8:56, 8:57, 8:58, 8:59, 9:00, 9:01, 9:02, 9:03, 9:04, 9:05, 9:06, 9:07, 9:08, 9:09, 9:10, 9:11, 9:12, 9:13, 9:14, 9:15, 9:16, 9:17, 9:18, 9:19, 9:20, 9:21, 9:22, 9:23, 9:24, 9:25, 9:26, 9:27, 9:28, 9:29, 9:30, 9:31, 9:32, 9:33, 9:34, 9:35, 9:36, 9:37, 9:38, 9:39, 9:40, 9:41, 9:42, 9:43, 9:44, 9:45, 9:46, 9:47, 9:48, 9:49, 9:50, 9:51, 9:52, 9:53, 9:54, 9:55, 9:56, 9:57, 9:58, 9:59, 10:00, 10:01, 10:02, 10:03, 10:04, 10:05, 10:06, 10:07, 10:08, 10:09, 10:10, 10:11, 10:12, 10:13, 10:14, 10:15, 10:16, 10:17, 10:18, 10:19, 10:20, 10:21, 10:22, 10:23, 10:24, 10:25, 10:26, 10:27, 10:28, 10:29, 10:30, 10:31, 10:32, 10:33, 10:34, 10:35, 10:36, 10:37, 10:38, 10:39, 10:40, 10:41, 10:42, 10:43, 10:44, 10:45, 10:46, 10:47, 10:48, 10:49, 10:50, 10:51, 10:52, 10:53, 10:54, 10:55, 10:56, 10:57, 10:58, 10:59, 11:00, 11:01, 11:02, 11:03, 11:04, 11:05, 11:06, 11:07, 11:08, 11:09, 11:10, 11:11, 11:12, 11:13, 11:14, 11:15, 11:16, 11:17, 11:18, 11:19, 11:20, 11:21, 11:22, 11:23, 11:24, 11:25, 11:26, 11:27, 11:28, 11:29, 11:30, 11:31, 11:32, 11:33, 11:34, 11:35, 11:36, 11:37, 11:38, 11:39, 11:40, 11:41, 11:42, 11:43, 11:44, 11:45, 11:46, 11:47, 11:48, 11:49, 11:50, 11:51, 11:52, 11:53, 11:54, 11:55, 11:56, 11:57, 11:58, 11:59 720

  25. joind.in/talk/0e3b7 @SammyK #zcoe18 12:00, 12:01, 12:02, 12:03, 12:04, 12:05, 12:06,

    12:07, 12:08, 12:09, 12:10, 12:11, 12:12, 12:13, 12:14, 12:15, 12:16, 12:17, 12:18, 12:19, 12:20, 12:21, 12:22, 12:23, 12:24, 12:25, 12:26, 12:27, 12:28, 12:29, 12:30, 12:31, 12:32, 12:33, 12:34, 12:35, 12:36, 12:37, 12:38, 12:39, 12:40, 12:41, 12:42, 12:43, 12:44, 12:45, 12:46, 12:47, 12:48, 12:49, 12:50, 12:51, 12:52, 12:53, 12:54, 12:55, 12:56, 12:57, 12:58, 12:59, 1:00, 1:01, 1:02, 1:03, 1:04, 1:05, 1:06, 1:07, 1:08, 1:09, 1:10, 1:11, 1:12, 1:13, 1:14, 1:15, 1:16, 1:17, 1:18, 1:19, 1:20, 1:21, 1:22, 1:23, 1:24, 1:25, 1:26, 1:27, 1:28, 1:29, 1:30, 1:31, 1:32, 1:33, 1:34, 1:35, 1:36, 1:37, 1:38, 1:39, 1:40, 1:41, 1:42, 1:43, 1:44, 1:45, 1:46, 1:47, 1:48, 1:49, 1:50, 1:51, 1:52, 1:53, 1:54, 1:55, 1:56, 1:57, 1:58, 1:59, 2:00, 2:01, 2:02, 2:03, 2:04, 2:05, 2:06, 2:07, 2:08, 2:09, 2:10, 2:11, 2:12, 2:13, 2:14, 2:15, 2:16, 2:17, 2:18, 2:19, 2:20, 2:21, 2:22, 2:23, 2:24, 2:25, 2:26, 2:27, 2:28, 2:29, 2:30, 2:31, 2:32, 2:33, 2:34, 2:35, 2:36, 2:37, 2:38, 2:39, 2:40, 2:41, 2:42, 2:43, 2:44, 2:45, 2:46, 2:47, 2:48, 2:49, 2:50, 2:51, 2:52, 2:53, 2:54, 2:55, 2:56, 2:57, 2:58, 2:59, 3:00, 3:01, 3:02, 3:03, 3:04, 3:05, 3:06, 3:07, 3:08, 3:09, 3:10, 3:11, 3:12, 3:13, 3:14, 3:15, 3:16, 3:17, 3:18, 3:19, 3:20, 3:21, 3:22, 3:23, 3:24, 3:25, 3:26, 3:27, 3:28, 3:29, 3:30, 3:31, 3:32, 3:33, 3:34, 3:35, 3:36, 3:37, 3:38, 3:39, 3:40, 3:41, 3:42, 3:43, 3:44, 3:45, 3:46, 3:47, 3:48, 3:49, 3:50, 3:51, 3:52, 3:53, 3:54, 3:55, 3:56, 3:57, 3:58, 3:59, 4:00, 4:01, 4:02, 4:03, 4:04, 4:05, 4:06, 4:07, 4:08, 4:09, 4:10, 4:11, 4:12, 4:13, 4:14, 4:15, 4:16, 4:17, 4:18, 4:19, 4:20, 4:21, 4:22, 4:23, 4:24, 4:25, 4:26, 4:27, 4:28, 4:29, 4:30, 4:31, 4:32, 4:33, 4:34, 4:35, 4:36, 4:37, 4:38, 4:39, 4:40, 4:41, 4:42, 4:43, 4:44, 4:45, 4:46, 4:47, 4:48, 4:49, 4:50, 4:51, 4:52, 4:53, 4:54, 4:55, 4:56, 4:57, 4:58, 4:59, 5:00, 5:01, 5:02, 5:03, 5:04, 5:05, 5:06, 5:07, 5:08, 5:09, 5:10, 5:11, 5:12, 5:13, 5:14, 5:15, 5:16, 5:17, 5:18, 5:19, 5:20, 5:21, 5:22, 5:23, 5:24, 5:25, 5:26, 5:27, 5:28, 5:29, 5:30, 5:31, 5:32, 5:33, 5:34, 5:35, 5:36, 5:37, 5:38, 5:39, 5:40, 5:41, 5:42, 5:43, 5:44, 5:45, 5:46, 5:47, 5:48, 5:49, 5:50, 5:51, 5:52, 5:53, 5:54, 5:55, 5:56, 5:57, 5:58, 5:59, 6:00, 6:01, 6:02, 6:03, 6:04, 6:05, 6:06, 6:07, 6:08, 6:09, 6:10, 6:11, 6:12, 6:13, 6:14, 6:15, 6:16, 6:17, 6:18, 6:19, 6:20, 6:21, 6:22, 6:23, 6:24, 6:25, 6:26, 6:27, 6:28, 6:29, 6:30, 6:31, 6:32, 6:33, 6:34, 6:35, 6:36, 6:37, 6:38, 6:39, 6:40, 6:41, 6:42, 6:43, 6:44, 6:45, 6:46, 6:47, 6:48, 6:49, 6:50, 6:51, 6:52, 6:53, 6:54, 6:55, 6:56, 6:57, 6:58, 6:59, 7:00, 7:01, 7:02, 7:03, 7:04, 7:05, 7:06, 7:07, 7:08, 7:09, 7:10, 7:11, 7:12, 7:13, 7:14, 7:15, 7:16, 7:17, 7:18, 7:19, 7:20, 7:21, 7:22, 7:23, 7:24, 7:25, 7:26, 7:27, 7:28, 7:29, 7:30, 7:31, 7:32, 7:33, 7:34, 7:35, 7:36, 7:37, 7:38, 7:39, 7:40, 7:41, 7:42, 7:43, 7:44, 7:45, 7:46, 7:47, 7:48, 7:49, 7:50, 7:51, 7:52, 7:53, 7:54, 7:55, 7:56, 7:57, 7:58, 7:59, 8:00, 8:01, 8:02, 8:03, 8:04, 8:05, 8:06, 8:07, 8:08, 8:09, 8:10, 8:11, 8:12, 8:13, 8:14, 8:15, 8:16, 8:17, 8:18, 8:19, 8:20, 8:21, 8:22, 8:23, 8:24, 8:25, 8:26, 8:27, 8:28, 8:29, 8:30, 8:31, 8:32, 8:33, 8:34, 8:35, 8:36, 8:37, 8:38, 8:39, 8:40, 8:41, 8:42, 8:43, 8:44, 8:45, 8:46, 8:47, 8:48, 8:49, 8:50, 8:51, 8:52, 8:53, 8:54, 8:55, 8:56, 8:57, 8:58, 8:59, 9:00, 9:01, 9:02, 9:03, 9:04, 9:05, 9:06, 9:07, 9:08, 9:09, 9:10, 9:11, 9:12, 9:13, 9:14, 9:15, 9:16, 9:17, 9:18, 9:19, 9:20, 9:21, 9:22, 9:23, 9:24, 9:25, 9:26, 9:27, 9:28, 9:29, 9:30, 9:31, 9:32, 9:33, 9:34, 9:35, 9:36, 9:37, 9:38, 9:39, 9:40, 9:41, 9:42, 9:43, 9:44, 9:45, 9:46, 9:47, 9:48, 9:49, 9:50, 9:51, 9:52, 9:53, 9:54, 9:55, 9:56, 9:57, 9:58, 9:59, 10:00, 10:01, 10:02, 10:03, 10:04, 10:05, 10:06, 10:07, 10:08, 10:09, 10:10, 10:11, 10:12, 10:13, 10:14, 10:15, 10:16, 10:17, 10:18, 10:19, 10:20, 10:21, 10:22, 10:23, 10:24, 10:25, 10:26, 10:27, 10:28, 10:29, 10:30, 10:31, 10:32, 10:33, 10:34, 10:35, 10:36, 10:37, 10:38, 10:39, 10:40, 10:41, 10:42, 10:43, 10:44, 10:45, 10:46, 10:47, 10:48, 10:49, 10:50, 10:51, 10:52, 10:53, 10:54, 10:55, 10:56, 10:57, 10:58, 10:59, 11:00, 11:01, 11:02, 11:03, 11:04, 11:05, 11:06, 11:07, 11:08, 11:09, 11:10, 11:11, 11:12, 11:13, 11:14, 11:15, 11:16, 11:17, 11:18, 11:19, 11:20, 11:21, 11:22, 11:23, 11:24, 11:25, 11:26, 11:27, 11:28, 11:29, 11:30, 11:31, 11:32, 11:33, 11:34, 11:35, 11:36, 11:37, 11:38, 11:39, 11:40, 11:41, 11:42, 11:43, 11:44, 11:45, 11:46, 11:47, 11:48, 11:49, 11:50, 11:51, 11:52, 11:53, 11:54, 11:55, 11:56, 11:57, 11:58, 11:59 BUT!

  26. joind.in/talk/0e3b7 @SammyK #zcoe18 12:00, 12:01, 12:02, 12:03, 12:04, 12:05, 12:06,

    12:07, 12:08, 12:09, 12:10, 12:11, 12:12, 12:13, 12:14, 12:15, 12:16, 12:17, 12:18, 12:19, 12:20, 12:21, 12:22, 12:23, 12:24, 12:25, 12:26, 12:27, 12:28, 12:29, 12:30, 12:31, 12:32, 12:33, 12:34, 12:35, 12:36, 12:37, 12:38, 12:39, 12:40, 12:41, 12:42, 12:43, 12:44, 12:45, 12:46, 12:47, 12:48, 12:49, 12:50, 12:51, 12:52, 12:53, 12:54, 12:55, 12:56, 12:57, 12:58, 12:59, 1:00, 1:01, 1:02, 1:03, 1:04, 1:05, 1:06, 1:07, 1:08, 1:09, 1:10, 1:11, 1:12, 1:13, 1:14, 1:15, 1:16, 1:17, 1:18, 1:19, 1:20, 1:21, 1:22, 1:23, 1:24, 1:25, 1:26, 1:27, 1:28, 1:29, 1:30, 1:31, 1:32, 1:33, 1:34, 1:35, 1:36, 1:37, 1:38, 1:39, 1:40, 1:41, 1:42, 1:43, 1:44, 1:45, 1:46, 1:47, 1:48, 1:49, 1:50, 1:51, 1:52, 1:53, 1:54, 1:55, 1:56, 1:57, 1:58, 1:59, 2:00, 2:01, 2:02, 2:03, 2:04, 2:05, 2:06, 2:07, 2:08, 2:09, 2:10, 2:11, 2:12, 2:13, 2:14, 2:15, 2:16, 2:17, 2:18, 2:19, 2:20, 2:21, 2:22, 2:23, 2:24, 2:25, 2:26, 2:27, 2:28, 2:29, 2:30, 2:31, 2:32, 2:33, 2:34, 2:35, 2:36, 2:37, 2:38, 2:39, 2:40, 2:41, 2:42, 2:43, 2:44, 2:45, 2:46, 2:47, 2:48, 2:49, 2:50, 2:51, 2:52, 2:53, 2:54, 2:55, 2:56, 2:57, 2:58, 2:59, 3:00, 3:01, 3:02, 3:03, 3:04, 3:05, 3:06, 3:07, 3:08, 3:09, 3:10, 3:11, 3:12, 3:13, 3:14, 3:15, 3:16, 3:17, 3:18, 3:19, 3:20, 3:21, 3:22, 3:23, 3:24, 3:25, 3:26, 3:27, 3:28, 3:29, 3:30, 3:31, 3:32, 3:33, 3:34, 3:35, 3:36, 3:37, 3:38, 3:39, 3:40, 3:41, 3:42, 3:43, 3:44, 3:45, 3:46, 3:47, 3:48, 3:49, 3:50, 3:51, 3:52, 3:53, 3:54, 3:55, 3:56, 3:57, 3:58, 3:59, 4:00, 4:01, 4:02, 4:03, 4:04, 4:05, 4:06, 4:07, 4:08, 4:09, 4:10, 4:11, 4:12, 4:13, 4:14, 4:15, 4:16, 4:17, 4:18, 4:19, 4:20, 4:21, 4:22, 4:23, 4:24, 4:25, 4:26, 4:27, 4:28, 4:29, 4:30, 4:31, 4:32, 4:33, 4:34, 4:35, 4:36, 4:37, 4:38, 4:39, 4:40, 4:41, 4:42, 4:43, 4:44, 4:45, 4:46, 4:47, 4:48, 4:49, 4:50, 4:51, 4:52, 4:53, 4:54, 4:55, 4:56, 4:57, 4:58, 4:59, 5:00, 5:01, 5:02, 5:03, 5:04, 5:05, 5:06, 5:07, 5:08, 5:09, 5:10, 5:11, 5:12, 5:13, 5:14, 5:15, 5:16, 5:17, 5:18, 5:19, 5:20, 5:21, 5:22, 5:23, 5:24, 5:25, 5:26, 5:27, 5:28, 5:29, 5:30, 5:31, 5:32, 5:33, 5:34, 5:35, 5:36, 5:37, 5:38, 5:39, 5:40, 5:41, 5:42, 5:43, 5:44, 5:45, 5:46, 5:47, 5:48, 5:49, 5:50, 5:51, 5:52, 5:53, 5:54, 5:55, 5:56, 5:57, 5:58, 5:59, 6:00, 6:01, 6:02, 6:03, 6:04, 6:05, 6:06, 6:07, 6:08, 6:09, 6:10, 6:11, 6:12, 6:13, 6:14, 6:15, 6:16, 6:17, 6:18, 6:19, 6:20, 6:21, 6:22, 6:23, 6:24, 6:25, 6:26, 6:27, 6:28, 6:29, 6:30, 6:31, 6:32, 6:33, 6:34, 6:35, 6:36, 6:37, 6:38, 6:39, 6:40, 6:41, 6:42, 6:43, 6:44, 6:45, 6:46, 6:47, 6:48, 6:49, 6:50, 6:51, 6:52, 6:53, 6:54, 6:55, 6:56, 6:57, 6:58, 6:59, 7:00, 7:01, 7:02, 7:03, 7:04, 7:05, 7:06, 7:07, 7:08, 7:09, 7:10, 7:11, 7:12, 7:13, 7:14, 7:15, 7:16, 7:17, 7:18, 7:19, 7:20, 7:21, 7:22, 7:23, 7:24, 7:25, 7:26, 7:27, 7:28, 7:29, 7:30, 7:31, 7:32, 7:33, 7:34, 7:35, 7:36, 7:37, 7:38, 7:39, 7:40, 7:41, 7:42, 7:43, 7:44, 7:45, 7:46, 7:47, 7:48, 7:49, 7:50, 7:51, 7:52, 7:53, 7:54, 7:55, 7:56, 7:57, 7:58, 7:59, 8:00, 8:01, 8:02, 8:03, 8:04, 8:05, 8:06, 8:07, 8:08, 8:09, 8:10, 8:11, 8:12, 8:13, 8:14, 8:15, 8:16, 8:17, 8:18, 8:19, 8:20, 8:21, 8:22, 8:23, 8:24, 8:25, 8:26, 8:27, 8:28, 8:29, 8:30, 8:31, 8:32, 8:33, 8:34, 8:35, 8:36, 8:37, 8:38, 8:39, 8:40, 8:41, 8:42, 8:43, 8:44, 8:45, 8:46, 8:47, 8:48, 8:49, 8:50, 8:51, 8:52, 8:53, 8:54, 8:55, 8:56, 8:57, 8:58, 8:59, 9:00, 9:01, 9:02, 9:03, 9:04, 9:05, 9:06, 9:07, 9:08, 9:09, 9:10, 9:11, 9:12, 9:13, 9:14, 9:15, 9:16, 9:17, 9:18, 9:19, 9:20, 9:21, 9:22, 9:23, 9:24, 9:25, 9:26, 9:27, 9:28, 9:29, 9:30, 9:31, 9:32, 9:33, 9:34, 9:35, 9:36, 9:37, 9:38, 9:39, 9:40, 9:41, 9:42, 9:43, 9:44, 9:45, 9:46, 9:47, 9:48, 9:49, 9:50, 9:51, 9:52, 9:53, 9:54, 9:55, 9:56, 9:57, 9:58, 9:59, 10:00, 10:01, 10:02, 10:03, 10:04, 10:05, 10:06, 10:07, 10:08, 10:09, 10:10, 10:11, 10:12, 10:13, 10:14, 10:15, 10:16, 10:17, 10:18, 10:19, 10:20, 10:21, 10:22, 10:23, 10:24, 10:25, 10:26, 10:27, 10:28, 10:29, 10:30, 10:31, 10:32, 10:33, 10:34, 10:35, 10:36, 10:37, 10:38, 10:39, 10:40, 10:41, 10:42, 10:43, 10:44, 10:45, 10:46, 10:47, 10:48, 10:49, 10:50, 10:51, 10:52, 10:53, 10:54, 10:55, 10:56, 10:57, 10:58, 10:59, 11:00, 11:01, 11:02, 11:03, 11:04, 11:05, 11:06, 11:07, 11:08, 11:09, 11:10, 11:11, 11:12, 11:13, 11:14, 11:15, 11:16, 11:17, 11:18, 11:19, 11:20, 11:21, 11:22, 11:23, 11:24, 11:25, 11:26, 11:27, 11:28, 11:29, 11:30, 11:31, 11:32, 11:33, 11:34, 11:35, 11:36, 11:37, 11:38, 11:39, 11:40, 11:41, 11:42, 11:43, 11:44, 11:45, 11:46, 11:47, 11:48, 11:49, 11:50, 11:51, 11:52, 11:53, 11:54, 11:55, 11:56, 11:57, 11:58, 11:59 • Session started at 4:00 pm PDT • That was on slide #23 • If you timed my rehearsals…

  27. joind.in/talk/0e3b7 @SammyK #zcoe18 11 random? What makes a number

  28. joind.in/talk/0e3b7 @SammyK #zcoe18 2, 4, 6, 8, __ 10

  29. joind.in/talk/0e3b7 @SammyK #zcoe18 1337, 42, 0, _ ?

  30. joind.in/talk/0e3b7 @SammyK #zcoe18 1337, 42, 0, 1337, 42, 0, 1337,

    __ 42

  31. joind.in/talk/0e3b7 @SammyK #zcoe18 Random? What is isn’t Deterministic

  32. joind.in/talk/0e3b7 @SammyK #zcoe18 “True” Random Measurement of atmospheric noise Count

    of the number of electrons coming off of a radioactive material
  33. None

  34. joind.in/talk/0e3b7 @SammyK #zcoe18 Can I haz random number?

  35. joind.in/talk/0e3b7 @SammyK #zcoe18

  36. joind.in/talk/0e3b7 @SammyK #zcoe18

  37. joind.in/talk/0e3b7 @SammyK #zcoe18 *sigh* Take this. 42

  38. joind.in/talk/0e3b7 @SammyK #zcoe18

  39. joind.in/talk/0e3b7 @SammyK #zcoe18 0

  40. joind.in/talk/0e3b7 @SammyK #zcoe18 2,4,8, 7,5,1 ?

  41. joind.in/talk/0e3b7 @SammyK #zcoe18 Number Generator …or “PRNG” for short Pseudorandom

  42. joind.in/talk/0e3b7 @SammyK #zcoe18 Pseudorandom? How’s that different than just random?

    Deterministic

  43. joind.in/talk/0e3b7 @SammyK #zcoe18 2,4,8, 7,5,1 Generator Linear Congruential

  44. joind.in/talk/0e3b7 @SammyK #zcoe18 Generator Linear Congruential

  45. joind.in/talk/0e3b7 @SammyK #zcoe18

  46. joind.in/talk/0e3b7 @SammyK #zcoe18 The modulus The multiplier The increment The

    seed

  47. joind.in/talk/0e3b7 @SammyK #zcoe18

  48. joind.in/talk/0e3b7 @SammyK #zcoe18

  49. joind.in/talk/0e3b7 @SammyK #zcoe18 2,4,8, 7,5,

  50. joind.in/talk/0e3b7 @SammyK #zcoe18 2,4,8, 7,5, Deterministic

  51. joind.in/talk/0e3b7 @SammyK #zcoe18 https://xkcd.com/221/

  52. joind.in/talk/0e3b7 @SammyK #zcoe18

  53. joind.in/talk/0e3b7 @SammyK #zcoe18

  54. joind.in/talk/0e3b7 @SammyK #zcoe18 8,7,5, 1,2,

  55. joind.in/talk/0e3b7 @SammyK #zcoe18 1,2,4, 8,7, BUT!

  56. joind.in/talk/0e3b7 @SammyK #zcoe18

  57. 5,1,2,4,8,7,5, 1,2,4,8,7,5,1, 2,4,8,7,5,1,2, 4,8,7,5,1,2,4, 8,7,5,1,2,4,8, 7,5,1,2,4, Predictable Period: 6

  58. joind.in/talk/0e3b7 @SammyK #zcoe18 LCG lcg_value() PHP has a combined

  59. joind.in/talk/0e3b7 @SammyK #zcoe18 PRNG? Is there a better

  60. joind.in/talk/0e3b7 @SammyK #zcoe18 Twister Mersenne mt_rand()

  61. joind.in/talk/0e3b7 @SammyK #zcoe18

  62. mt_rand() 724937621,955931554,1407935661,821438740,109344 9922,603009103,1540988686,1028238631,798475733, 1057939018,671583233,1853117923,98760648,112245 3373,534404057,900958085,1712824654,476385742,2 9956470,362833620,424798798,746223917,942003531 ,320462445,673296853,1351199651,141566289,16454 09515,995047403,1216151582,1115999460,175322091 7,1312071810,1553254094,1622498991,2080099801,1 704834715,1537620663,1357630828,1317892558,

    219,937-1

  63. joind.in/talk/0e3b7 @SammyK #zcoe18

  64. mt_rand(0,99) 83,9,64,28,62,48,83,47,46,53,37,26,21,91,61,32,58,1,89,60,65,97,42,56,6,47,76,1 2,98,11,36,61,62,60,43,67,6,16,73,15,39,38,56,19,66,56,98,72,91,24,57,94,8,26,7 3,55,17,14,84,89,39,11,13,48,71,98,89,63,9,95,74,9,81,85,97,24,14,14,77,22,96,4 3,61,91,61,58,19,71,8,49,18,92,38,34,9,36,91,59,14,4,58,59,29,74,52,41,36,67,82 ,67,11,0,58,51,37,4,45,56,35,50,78,91,27,39,80,27,28,95,2,82,51,72,27,41,43,74, 7,82,59,89,72,9,22,61,75,27,64,16,77,57,31,29,59,47,14,67,89,33,94,33,94,22,11, 62,9,13,61,45,78,29,3,11,99,91,52,79,63,64,43,99,53,22,16,10,53,57,15,84,16,30, 17,10,3,35,0,45,83,11,70,66,37,14,59,41,46,52,53,53,62,56,41,82,40,99,8,92,96,2 2,22,43,35,60,45,77,26,96,45,51,62,77,64,23,52,17,17,97,93,57,43,56,45,62,42,24

    ,62,1,59,38,70,13,34,32,48,47,1,42,48,18,2,59,47,53,10,3,66,68,93,4,53,85,20,77 ,63,43,45,16,15,77,73,89,11,64,76,30,46,91,1,85,96,19,63,70,62,35,58,95,63,38,7 8,83,8,97,22,2,28,51,25,29,98,62,74,59,95,79,74,66,47,35,83,56,49,25,32,25,46,1 3,69,77,30,94,24,31,68,23,64,47,28,33,65,69,16,0,98,37,85,93,60,24,10,54,50,42, 64,11,9,13,15,84,3,23,73,83,83,72,9,2,28,23,90,73,2,47,45,93,4,32,25,75,61,98,7 3,79,66,23,20,83,11,45,67,40,39,45,0,65,40,78,74,8,79,86,38,10,87,60,99,30,35,5 0,16,29,24,19,29,16,40,57,87,26,90,1,63,63,34,44,8,36,25,38,50,10,15,17,14,40,6 ,53,88,18,36,46,69,2,13,0,83,59,92,59,34,34,24,40,99,41,6,79,65,98,9,36,31,8,4, 89,98,91,80,42,10,26,72,40,50,39,25,33,45,24,70,54,89,91,53,23,12,20,40,21,25,5 5,48,11,3,84,42,5,7,21,58,85,18,52,92,94,69,20,49,3,8,55,57,4,38,52,37,64,55,82 ,98,5,75,84,35,14,99,74,23,41,69,55,53,22,52,6,68,35,38,73,52,22,52,86,79,15,38 ,3,20,99,36,23,77,33,80,16,97,54,88,11,77,77,99,70,26,5,75,87,4,23,8,50,79,61,5 5,80,25,58,79,25,56,9,81,6,42,27,90,58,6,62,74,25,79,81,61,23,54,92,53,16,66,22 ,49,77,97,84,25,49,32,49,65,51,1,93,63,68,69,67,10,44,99,44,42,89,35,24, 624 = busted

  65. echo mt_rand(0,99); 11

  66. echo mt_rand(0,99); 9

  67. echo mt_rand(0,99); 60

  68. mt_srand(10); echo mt_rand(0,99); 21

  69. mt_srand(10); echo mt_rand(0,99); 21

  70. mt_srand(10); echo mt_rand(0,99); 21

  71. None

  72. joind.in/talk/0e3b7 @SammyK #zcoe18 Good randomness can be Deterministic (e.g. games)

  73. joind.in/talk/0e3b7 @SammyK #zcoe18

  74. joind.in/talk/0e3b7 @SammyK #zcoe18

  75. joind.in/talk/0e3b7 @SammyK #zcoe18

  76. joind.in/talk/0e3b7 @SammyK #zcoe18 AKA “Seed”

  77. joind.in/talk/0e3b7 @SammyK #zcoe18

  78. joind.in/talk/0e3b7 @SammyK #zcoe18

  79. joind.in/talk/0e3b7 @SammyK #zcoe18 deterministic randomness is contexts In cryptographic really,

    really, really, really objectively…

  80. joind.in/talk/0e3b7 @SammyK #zcoe18 BAD

  81. joind.in/talk/0e3b7 @SammyK #zcoe18 CSRF Take for example Tokens

  82. joind.in/talk/0e3b7 @SammyK #zcoe18 Cross-site request forgery (CSRF) tokens help prevent

    unauthorized requests on a user’s behalf.

  83. joind.in/talk/0e3b7 @SammyK #zcoe18 A CSRF token must be unique and

    unpredictable. *don’t do this

  84. joind.in/talk/0e3b7 @SammyK #zcoe18

  85. joind.in/talk/0e3b7 @SammyK #zcoe18

  86. joind.in/talk/0e3b7 @SammyK #zcoe18

  87. joind.in/talk/0e3b7 @SammyK #zcoe18 I’ll just let PHP seed mt_rand() for

    me. Bad idea jeans *Old SNL skit reference

  88. joind.in/talk/0e3b7 @SammyK #zcoe18

  89. joind.in/talk/0e3b7 @SammyK #zcoe18 What about rand() you ask?

  90. joind.in/talk/0e3b7 @SammyK #zcoe18 Nope

  91. joind.in/talk/0e3b7 @SammyK #zcoe18 rand() mt_rand() …in PHP 7.0 & below

  92. joind.in/talk/0e3b7 @SammyK #zcoe18 rand() Uses the system PRNG (unreliable &

    inconsistent) Is a PRNG (totes predictable) Uniform distribution issues

  93. joind.in/talk/0e3b7 @SammyK #zcoe18 Uniform Distribution

  94. joind.in/talk/0e3b7 @SammyK #zcoe18 0 0.05 0.1 0.15 0.2 1 2

    3 4 5 6

  95. joind.in/talk/0e3b7 @SammyK #zcoe18 0 0.1 0.2 0.3 0.4 1 2

    3 4 5 6

  96. joind.in/talk/0e3b7 @SammyK #zcoe18 Uniform Distribution == True Random

  97. joind.in/talk/0e3b7 @SammyK #zcoe18 mt_rand() Implements the MT algorithm incorrectly Is

    a PRNG (totes predictable) Has a modulo bias

  98. joind.in/talk/0e3b7 @SammyK #zcoe18 Modulo Bias

  99. joind.in/talk/0e3b7 @SammyK #zcoe18 6 % 3 = 0 8 %

    3 = 2 Modulo Operator

  100. joind.in/talk/0e3b7 @SammyK #zcoe18 Random # between 0 & 1 n

    % 2 = 0 or 1 Use mod 2

  101. joind.in/talk/0e3b7 @SammyK #zcoe18 rand_src() = 1, 2, or 3 2

    % 2 = 0 3 % 2 = 1 1 is more likely 1 % 2 = 1

  102. joind.in/talk/0e3b7 @SammyK #zcoe18 rand() mt_rand() …in PHP 7.1 & above

  103. joind.in/talk/0e3b7 @SammyK #zcoe18 mt_rand() Fixes bug in MT algorithm implementation

    Is a PRNG (totes predictable)

  104. joind.in/talk/0e3b7 @SammyK #zcoe18 They’re totes samezies! rand() mt_rand() ===

  105. joind.in/talk/0e3b7 @SammyK #zcoe18

  106. joind.in/talk/0e3b7 @SammyK #zcoe18 rand() mt_rand() Both suffer from modulo bias

    &

  107. joind.in/talk/0e3b7 @SammyK #zcoe18 Seeds aren’t impossible to predict

  108. joind.in/talk/0e3b7 @SammyK #zcoe18 Entropy *Could be it’s own talk

  109. joind.in/talk/0e3b7 @SammyK #zcoe18 A measure of how accurately we’re able

    to predict the next value in a sequence.* * oversimplification

  110. joind.in/talk/0e3b7 @SammyK #zcoe18 High entropy harder to predict Low entropy

    easier to predict

  111. joind.in/talk/0e3b7 @SammyK #zcoe18 High entropy harder to predict Good for

    random number generation

  112. joind.in/talk/0e3b7 @SammyK #zcoe18 Cryptographically Pseudorandom Secure Number Generator

  113. joind.in/talk/0e3b7 @SammyK #zcoe18 CSPRNG or…

  114. joind.in/talk/0e3b7 @SammyK #zcoe18 “See Spring” or…

  115. Unicorn Magical

  116. Uses seeds that are really really really really ridiculously hard

    to guess

  117. joind.in/talk/0e3b7 @SammyK #zcoe18 High Entropy wee!

  118. joind.in/talk/0e3b7 @SammyK #zcoe18 impossible It’s values are to predict in

    practice 42 82 Suitable for use in cryptographic contexts.

  119. mythical Where can we find this creature?

  120. joind.in/talk/0e3b7 @SammyK #zcoe18 CSPRNG options in 5.x

  121. joind.in/talk/0e3b7 @SammyK #zcoe18 openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/urandom

  122. joind.in/talk/0e3b7 @SammyK #zcoe18 openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/urandom

  123. joind.in/talk/0e3b7 @SammyK #zcoe18

  124. joind.in/talk/0e3b7 @SammyK #zcoe18 TAKE_ to_live TAKE_ to_lie

  125. joind.in/talk/0e3b7 @SammyK #zcoe18 TAKE_ to_lie 5.6.11

  126. joind.in/talk/0e3b7 @SammyK #zcoe18 5.6.12 TAKE_ to_live

  127. Fails open

  128. joind.in/talk/0e3b7 @SammyK #zcoe18 FALSE Can return

  129. joind.in/talk/0e3b7 @SammyK #zcoe18 empty string Can be

  130. joind.in/talk/0e3b7 @SammyK #zcoe18 Still not done!

  131. joind.in/talk/0e3b7 @SammyK #zcoe18 WRONG Easy to get

  132. joind.in/talk/0e3b7 @SammyK #zcoe18 Worse It gets

  133. joind.in/talk/0e3b7 @SammyK #zcoe18 Since the UNIX fork() system call duplicates

    the entire process state, a random number generator which does not take this issue into account will produce the same sequence of random numbers in both the parent and the child […], leading to cryptographic disaster… https://wiki.openssl.org/index.php/Random_fork-safety

  134. joind.in/talk/0e3b7 @SammyK #zcoe18 OpenSSL’s be like 42 CSPRNG 82 82

  135. joind.in/talk/0e3b7 @SammyK #zcoe18 OpenSSL cannot fix the fork-safety problem because

    its not in a position to do so. However, there are [solutions] available and they are listed below. https://wiki.openssl.org/index.php/Random_fork-safety

  136. joind.in/talk/0e3b7 @SammyK #zcoe18 Don't use RAND_bytes https://wiki.openssl.org/index.php/Random_fork-safety

  137. joind.in/talk/0e3b7 @SammyK #zcoe18 Instead, you can read directly from /dev/random,

    /dev/urandom or /dev/srandom; or use CryptGenRandom on Windows systems. https://wiki.openssl.org/index.php/Random_fork-safety

  138. joind.in/talk/0e3b7 @SammyK #zcoe18 Status update! v1.1.1 (2018-09-11)

  139. joind.in/talk/0e3b7 @SammyK #zcoe18 mcrypt_create_iv() /dev/urandom openssl_random_pseudo_bytes()

  140. Fails open

  141. joind.in/talk/0e3b7 @SammyK #zcoe18

  142. joind.in/talk/0e3b7 @SammyK #zcoe18

  143. joind.in/talk/0e3b7 @SammyK #zcoe18

  144. joind.in/talk/0e3b7 @SammyK #zcoe18 /dev/urandom openssl_random_pseudo_bytes() mcrypt_create_iv()

  145. joind.in/talk/0e3b7 @SammyK #zcoe18 open_basedir=/foo/dir

  146. joind.in/talk/0e3b7 @SammyK #zcoe18 openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/urandom

  147. joind.in/talk/0e3b7 @SammyK #zcoe18 CSPRNG New goodness 7

  148. joind.in/talk/0e3b7 @SammyK #zcoe18 CSPRNG random_int() random_bytes()

  149. random_int(0,99) 6,17,6,9,17,53,58,98,46,44,62,9,76,65,46,21,42,5,65,34,11,96,85,7,46,89,98,9,9, 80,8,76,87,18,24,68,16,61,27,39,30,32,4,83,83,23,96,27,13,47,6,99,16,40,2,75,27 ,3,79,68,75,60,50,70,63,17,75,29,79,57,9,48,18,86,95,25,40,52,20,86,6,48,94,27, 76,14,9,27,62,14,68,58,12,18,63,19,84,47,7,13,63,28,66,55,2,75,44,92,11,85,51,1 7,42,57,22,4,53,7,3,76,48,55,95,7,45,33,87,36,11,17,66,6,46,87,57,48,22,31,65,5 ,26,10,47,82,97,74,25,32,63,60,29,53,13,24,56,54,52,86,67,4,94,35,48,73,35,45,2 4,74,74,83,49,70,41,49,20,60,29,49,30,35,38,63,4,86,72,97,26,22,36,95,59,94,24, 89,73,46,14,73,51,93,93,39,13,80,9,30,24,20,30,63,20,64,97,29,7,2,82,96,42,61,5 3,28,49,12,90,71,58,72,63,49,32,69,76,50,62,88,31,26,72,79,19,15,3,39,27,80,16,

    65,62,53,82,59,23,85,95,41,68,86,3,92,76,91,88,12,20,96,14,35,50,94,24,23,44,55 ,78,65,81,7,1,86,32,58,46,97,43,78,9,51,1,6,79,73,49,13,40,21,90,14,9,70,95,88, 37,85,14,7,29,42,55,81,46,39,41,45,81,11,93,26,89,4,98,35,30,36,74,97,18,85,97, 23,52,64,88,20,89,12,25,19,21,21,50,60,50,43,84,1,52,5,19,2,86,38,51,48,30,55,9 0,93,97,52,84,29,58,96,78,37,24,14,72,81,9,82,26,83,83,17,35,15,9,87,95,51,71,4 8,9,45,13,61,98,3,18,96,99,28,74,47,58,71,89,68,57,51,86,90,38,21,72,72,30,22,1 3,88,25,48,45,62,59,81,32,10,54,82,60,90,17,98,41,73,98,60,22,99,66,32,41,82,62 ,91,3,85,91,21,17,98,19,48,50,24,67,3,14,62,55,35,99,95,83,76,12,51,77,61,24,24 ,60,15,31,47,24,27,97,98,70,6,24,25,20,23,67,72,55,47,19,53,50,38,22,76,37,63,8 2,67,52,3,75,84,84,71,49,79,26,89,11,77,55,92,32,81,38,23,54,9,40,80,75,20,7,58 ,37,72,75,59,46,32,41,82,90,72,59,5,42,2,94,44,44,4,15,37,29,24,10,51,18,8,42,5 6,9,68,31,99,7,77,59,8,74,80,11,15,93,81,5,72,44,49,39,25,4,18,98,0,93,42,78,36 ,57,47,16,49,2,85,6,31,17,81,10,54,40,95,68,31,80,29,41,86,32,9,58,96,62,79,25, 6,45,56,54,0,61,74,90,12,34,11,56,3,41,39,84,32,30,42,81,36,43,5,

  150. joind.in/talk/0e3b7 @SammyK #zcoe18 bin2hex(random_bytes(16)) f7f5289027cb6c5116d 2d3cc78e5819c

  151. Fails Closed

  152. joind.in/talk/0e3b7 @SammyK #zcoe18 You’re not strong until you’re crypto-strong!

  153. CSPRNG under the hood

  154. None

  155. joind.in/talk/0e3b7 @SammyK #zcoe18 On Windows: CryptGenRandom On BSD: arc4random_buf() On

    Linux: getrandom(2) syscall Read directly from /dev/urandom

  156. joind.in/talk/0e3b7 @SammyK #zcoe18 /dev/urandom So what is this thing?

  157. /dev/urandom Gathers environmental noise from the system like… …device drivers,

    inter-keyboard timings, inter-interrupt timings from some interrupts, and other events which are both (a) non-deterministic and (b) hard for an outside observer to measure. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/char/random.c

  158. joind.in/talk/0e3b7 @SammyK #zcoe18 CSPRNG random_bytes() random_int() 7 /dev/urandom Powered by

  159. joind.in/talk/0e3b7 @SammyK #zcoe18 Still on 5.x? paragonie/random_compat Polyfill for PHP

    7 CSPRNG

  160. joind.in/talk/0e3b7 @SammyK #zcoe18 http://php.net/supported-versions.php 5.6 EOL in 75 days

  161. joind.in/talk/0e3b7 @SammyK #zcoe18 http://php.net/supported-versions.php 7.0 EOL in 47 days

  162. joind.in/talk/0e3b7 @SammyK #zcoe18 FAQ’s

  163. joind.in/talk/0e3b7 @SammyK #zcoe18 Benchmarks* * are lies

  164. joind.in/talk/0e3b7 @SammyK #zcoe18 If random_bytes() random_int() are… …why not update

    mt_rand()

  165. joind.in/talk/0e3b7 @SammyK #zcoe18

  166. joind.in/talk/0e3b7 @SammyK #zcoe18

  167. joind.in/talk/0e3b7 @SammyK #zcoe18 TL;DR Never use LCG, MT, or any

    other PRNG in cryptographic contexts Only use a CSPRNG like /dev/urandom for crypto Use random_bytes() & random_int() in PHP (or install paragonie/random_compat)

  168. joind.in/talk/0e3b7 @SammyK #zcoe18 More Resources

  169. joind.in/talk/0e3b7 @SammyK #zcoe18 Recommendation for the Entropy Sources Used for

    Random Bit Generation Final Draft - NIST SP 800-90B https://csrc.nist.gov/publications/detail/sp/800-90b/final

  170. joind.in/talk/0e3b7 @SammyK #zcoe18 New & improved man pages for /dev/urandom

    http://man7.org/linux/man-pages/man7/random.7.html

  171. joind.in/talk/0e3b7 @SammyK #zcoe18 Myths about /dev/urandom Thomas Hühn https://www.2uo.de/myths-about-urandom/ With

    pretty pictures!

  172. joind.in/talk/0e3b7 @SammyK #zcoe18 Cracking Random Number Generators Three-part blog post

    series James Roper https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html

  173. joind.in/talk/0e3b7 @SammyK #zcoe18 How I Met Your Girlfriend DEF CON

    18 Samy Kamkar https://www.youtube.com/watch?v=fWk_rMQiDGc

  174. joind.in/talk/0e3b7 @SammyK #zcoe18 Weak RNG in PHP session ID generation

    leads to session hijacking Andreas Bogk http://seclists.org/fulldisclosure/2010/Mar/519

  175. joind.in/talk/0e3b7 @SammyK #zcoe18 Sammy Kaye Powers Thanks! /talk/0e3b7 @SammyK SammyK.me

    Host of @PHPRoundtable