Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let's get random: Under the hood of PHP 7's CSP...

Avatar for SammyK SammyK
October 17, 2018
Programming
0
1.6k

Let's get random: Under the hood of PHP 7's CSPRNG - ZendCon & OpenEnterprise 2018

Talk given at ZendCon & OpenEnterprise 2018

Randomness is really important in many cryptographic contexts. Unfortunately, true randomness is a non-trivial achievement for computers. In fact, using weak sources of randomness can leave your application open to myriad vulnerabilities. Enter a good cryptographically secure pseudorandom number generator (CSPRNG).

We’ll discuss the importance of using good sources of randomness, the CSPRNG options we had in PHP 5, and how the new-goodness CSPRNG functions in PHP 7 work under the hood.

Avatar for SammyK

SammyK

October 17, 2018
Tweet

More Decks by SammyK

See All by SammyK
Going Bare - Writing The Web Without A Framework - Longhorn PHP 2019
Avatar for SammyK sammyk
1
1.2k
Going bare - writing the web without a framework - php[world] 2018
Avatar for SammyK sammyk
0
690
The Debug Dance - An Intro To Step Debugging - php[world] 2018
Avatar for SammyK sammyk
0
1.4k
The debug dance: An intro to step debugging - ZendCon & OpenEnterprise 2018
Avatar for SammyK sammyk
1
460
Going Bare - Writing the web without a framework - Cascadia PHP 2018
Avatar for SammyK sammyk
0
720
Let's Get Random - Under The Hood of PHP 7's CSPRNG - php[tek] 2018
Avatar for SammyK sammyk
0
280
Writing Tests For PHP Source - ZendCon 2017
Avatar for SammyK sammyk
1
1.7k
Going Bare - Writing the web without a framework - ZendCon 2017
Avatar for SammyK sammyk
2
500
Bringing Old Legacy Apps To PHP 7 and Beyond - PNWPHP 2017
Avatar for SammyK sammyk
0
2k

Other Decks in Programming

See All in Programming
オンコール⼊⾨〜ページャーが鳴る前に、あなたが備えられること〜 / Before The Pager Rings
Avatar for Yuuki Takahashi yktakaha4
2
1.1k
NEWT Backend Evolution
Avatar for Rodrigo Ramirez xpromx
1
140
Streamlitで実現できるようになったこと、実現してくれたこと
Avatar for Ayumu Yamaguchi ayumu_yamaguchi
2
200
DMMを支える決済基盤の技術的負債にどう立ち向かうか / Addressing Technical Debt in Payment Infrastructure
Avatar for yoshiyoshifujii yoshiyoshifujii
4
550
知って得する@cloudflare_vite-pluginのあれこれ
Avatar for chimame chimame
1
110
Android 16KBページサイズ対応をはじめからていねいに
Avatar for mine2424 mine2424
0
600
テスト駆動Kaggle
Avatar for ねぼすけAI isax1015
1
860
AIともっと楽するE2Eテスト
Avatar for Yohei Maeda myohei
9
3.1k
顧客の画像データをテラバイト単位で配信する 画像サーバを WebP にした際に起こった課題と その対応策 ~継続的な取り組みを添えて~
Avatar for Takuya TAKAHASHI takutakahashi
4
1.4k
テストから始めるAgentic Coding 〜Claude Codeと共に行うTDD〜 / Agentic Coding starts with testing
Avatar for r-kagaya rkaga
16
5.9k
Rails Frontend Evolution: It Was a Setup All Along
Avatar for Svyatoslav Kryukov skryukov
0
310
202507_ADKで始めるエージェント開発の基本 〜デモを通じて紹介〜(奥田りさ)
Avatar for RisaTube risatube
PRO
1
110

Featured

See All Featured
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
77
5.9k
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
49
14k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
248
1.3M
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
26k
Making Projects Easy
Avatar for Brett Harned brettharned
116
6.3k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
161
15k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
29
2.8k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
16k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
63
7.8k
Designing Experiences People Love
Avatar for Jonathan Moore moore
142
24k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.7k
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
695
190k

Transcript

  1. Random Under the hood of PHP 7’s Let’s get CSPRNG

    Sammy Kaye Powers Las Vegas, NV - 2018

  2. joind.in/talk/0e3b7 @SammyK #zcoe18 Slides Get the joind.in/talk/0e3b7

  3. joind.in/talk/0e3b7 @SammyK #zcoe18 CSPRNG? What is the PHP 7

  4. joind.in/talk/0e3b7 @SammyK #zcoe18 random_int() random_bytes()

  5. joind.in/talk/0e3b7 @SammyK #zcoe18 ext/standard/random.c

  6. joind.in/talk/0e3b7 @SammyK #zcoe18 The end

  7. joind.in/talk/0e3b7 @SammyK #zcoe18 Random? What is

  8. Red Yellow White Red Yellow White Red Yellow White Period:

    3

  9. Jingle all the way, Oh what fun it is to

    ride In a one-horse open sleigh Predictable seed Jingle bells, jingle bells

  10. 74, 105, 110, 103, 108, 101, 32, 97, 108, 108,

    32, 116, 104, 101, 32, 119, 97, 121, 44 Random, right?

  11. ASCII

  12. 74, 105, 110, 103, 108, 101, 32, chr() J, i,

    n, g, l, e, ,

  13. 97, 108, 108, 32, What’s the next word? a, l,

    l, ,

  14. 116, 104, 101, 32, t, h, e, ,

  15. 74, 105, 110, 103, 108, 101, 32, 97, 108, 108,

    32, Random, right? 116, 104, 101, 32, nope!

  16. Felt? Remember how we

  17. 74, 105, 110, 103, 108, 101, 32, 97, 108, 108,

    32, 116, 104, 101, 32, 119, 97, 121, 44 What’s the meaning? ASCII codes! Ah, right. Carry on then. Deterministic

  18. joind.in/talk/0e3b7 @SammyK #zcoe18 Why did we think

  19. joind.in/talk/0e3b7 @SammyK #zcoe18 •Think of a two-digit number •Between one

    and one hundred •Both digits odd •Both digits different

  20. joind.in/talk/0e3b7 @SammyK #zcoe18 Are you thinking of… 37

  21. joind.in/talk/0e3b7 @SammyK #zcoe18 Humans are bad at being random

  22. joind.in/talk/0e3b7 @SammyK #zcoe18 Environment Can we use our to make

    better random numbers?

  23. joind.in/talk/0e3b7 @SammyK #zcoe18 Time? Maybe the

  24. joind.in/talk/0e3b7 @SammyK #zcoe18 12:00, 12:01, 12:02, 12:03, 12:04, 12:05, 12:06,

    12:07, 12:08, 12:09, 12:10, 12:11, 12:12, 12:13, 12:14, 12:15, 12:16, 12:17, 12:18, 12:19, 12:20, 12:21, 12:22, 12:23, 12:24, 12:25, 12:26, 12:27, 12:28, 12:29, 12:30, 12:31, 12:32, 12:33, 12:34, 12:35, 12:36, 12:37, 12:38, 12:39, 12:40, 12:41, 12:42, 12:43, 12:44, 12:45, 12:46, 12:47, 12:48, 12:49, 12:50, 12:51, 12:52, 12:53, 12:54, 12:55, 12:56, 12:57, 12:58, 12:59, 1:00, 1:01, 1:02, 1:03, 1:04, 1:05, 1:06, 1:07, 1:08, 1:09, 1:10, 1:11, 1:12, 1:13, 1:14, 1:15, 1:16, 1:17, 1:18, 1:19, 1:20, 1:21, 1:22, 1:23, 1:24, 1:25, 1:26, 1:27, 1:28, 1:29, 1:30, 1:31, 1:32, 1:33, 1:34, 1:35, 1:36, 1:37, 1:38, 1:39, 1:40, 1:41, 1:42, 1:43, 1:44, 1:45, 1:46, 1:47, 1:48, 1:49, 1:50, 1:51, 1:52, 1:53, 1:54, 1:55, 1:56, 1:57, 1:58, 1:59, 2:00, 2:01, 2:02, 2:03, 2:04, 2:05, 2:06, 2:07, 2:08, 2:09, 2:10, 2:11, 2:12, 2:13, 2:14, 2:15, 2:16, 2:17, 2:18, 2:19, 2:20, 2:21, 2:22, 2:23, 2:24, 2:25, 2:26, 2:27, 2:28, 2:29, 2:30, 2:31, 2:32, 2:33, 2:34, 2:35, 2:36, 2:37, 2:38, 2:39, 2:40, 2:41, 2:42, 2:43, 2:44, 2:45, 2:46, 2:47, 2:48, 2:49, 2:50, 2:51, 2:52, 2:53, 2:54, 2:55, 2:56, 2:57, 2:58, 2:59, 3:00, 3:01, 3:02, 3:03, 3:04, 3:05, 3:06, 3:07, 3:08, 3:09, 3:10, 3:11, 3:12, 3:13, 3:14, 3:15, 3:16, 3:17, 3:18, 3:19, 3:20, 3:21, 3:22, 3:23, 3:24, 3:25, 3:26, 3:27, 3:28, 3:29, 3:30, 3:31, 3:32, 3:33, 3:34, 3:35, 3:36, 3:37, 3:38, 3:39, 3:40, 3:41, 3:42, 3:43, 3:44, 3:45, 3:46, 3:47, 3:48, 3:49, 3:50, 3:51, 3:52, 3:53, 3:54, 3:55, 3:56, 3:57, 3:58, 3:59, 4:00, 4:01, 4:02, 4:03, 4:04, 4:05, 4:06, 4:07, 4:08, 4:09, 4:10, 4:11, 4:12, 4:13, 4:14, 4:15, 4:16, 4:17, 4:18, 4:19, 4:20, 4:21, 4:22, 4:23, 4:24, 4:25, 4:26, 4:27, 4:28, 4:29, 4:30, 4:31, 4:32, 4:33, 4:34, 4:35, 4:36, 4:37, 4:38, 4:39, 4:40, 4:41, 4:42, 4:43, 4:44, 4:45, 4:46, 4:47, 4:48, 4:49, 4:50, 4:51, 4:52, 4:53, 4:54, 4:55, 4:56, 4:57, 4:58, 4:59, 5:00, 5:01, 5:02, 5:03, 5:04, 5:05, 5:06, 5:07, 5:08, 5:09, 5:10, 5:11, 5:12, 5:13, 5:14, 5:15, 5:16, 5:17, 5:18, 5:19, 5:20, 5:21, 5:22, 5:23, 5:24, 5:25, 5:26, 5:27, 5:28, 5:29, 5:30, 5:31, 5:32, 5:33, 5:34, 5:35, 5:36, 5:37, 5:38, 5:39, 5:40, 5:41, 5:42, 5:43, 5:44, 5:45, 5:46, 5:47, 5:48, 5:49, 5:50, 5:51, 5:52, 5:53, 5:54, 5:55, 5:56, 5:57, 5:58, 5:59, 6:00, 6:01, 6:02, 6:03, 6:04, 6:05, 6:06, 6:07, 6:08, 6:09, 6:10, 6:11, 6:12, 6:13, 6:14, 6:15, 6:16, 6:17, 6:18, 6:19, 6:20, 6:21, 6:22, 6:23, 6:24, 6:25, 6:26, 6:27, 6:28, 6:29, 6:30, 6:31, 6:32, 6:33, 6:34, 6:35, 6:36, 6:37, 6:38, 6:39, 6:40, 6:41, 6:42, 6:43, 6:44, 6:45, 6:46, 6:47, 6:48, 6:49, 6:50, 6:51, 6:52, 6:53, 6:54, 6:55, 6:56, 6:57, 6:58, 6:59, 7:00, 7:01, 7:02, 7:03, 7:04, 7:05, 7:06, 7:07, 7:08, 7:09, 7:10, 7:11, 7:12, 7:13, 7:14, 7:15, 7:16, 7:17, 7:18, 7:19, 7:20, 7:21, 7:22, 7:23, 7:24, 7:25, 7:26, 7:27, 7:28, 7:29, 7:30, 7:31, 7:32, 7:33, 7:34, 7:35, 7:36, 7:37, 7:38, 7:39, 7:40, 7:41, 7:42, 7:43, 7:44, 7:45, 7:46, 7:47, 7:48, 7:49, 7:50, 7:51, 7:52, 7:53, 7:54, 7:55, 7:56, 7:57, 7:58, 7:59, 8:00, 8:01, 8:02, 8:03, 8:04, 8:05, 8:06, 8:07, 8:08, 8:09, 8:10, 8:11, 8:12, 8:13, 8:14, 8:15, 8:16, 8:17, 8:18, 8:19, 8:20, 8:21, 8:22, 8:23, 8:24, 8:25, 8:26, 8:27, 8:28, 8:29, 8:30, 8:31, 8:32, 8:33, 8:34, 8:35, 8:36, 8:37, 8:38, 8:39, 8:40, 8:41, 8:42, 8:43, 8:44, 8:45, 8:46, 8:47, 8:48, 8:49, 8:50, 8:51, 8:52, 8:53, 8:54, 8:55, 8:56, 8:57, 8:58, 8:59, 9:00, 9:01, 9:02, 9:03, 9:04, 9:05, 9:06, 9:07, 9:08, 9:09, 9:10, 9:11, 9:12, 9:13, 9:14, 9:15, 9:16, 9:17, 9:18, 9:19, 9:20, 9:21, 9:22, 9:23, 9:24, 9:25, 9:26, 9:27, 9:28, 9:29, 9:30, 9:31, 9:32, 9:33, 9:34, 9:35, 9:36, 9:37, 9:38, 9:39, 9:40, 9:41, 9:42, 9:43, 9:44, 9:45, 9:46, 9:47, 9:48, 9:49, 9:50, 9:51, 9:52, 9:53, 9:54, 9:55, 9:56, 9:57, 9:58, 9:59, 10:00, 10:01, 10:02, 10:03, 10:04, 10:05, 10:06, 10:07, 10:08, 10:09, 10:10, 10:11, 10:12, 10:13, 10:14, 10:15, 10:16, 10:17, 10:18, 10:19, 10:20, 10:21, 10:22, 10:23, 10:24, 10:25, 10:26, 10:27, 10:28, 10:29, 10:30, 10:31, 10:32, 10:33, 10:34, 10:35, 10:36, 10:37, 10:38, 10:39, 10:40, 10:41, 10:42, 10:43, 10:44, 10:45, 10:46, 10:47, 10:48, 10:49, 10:50, 10:51, 10:52, 10:53, 10:54, 10:55, 10:56, 10:57, 10:58, 10:59, 11:00, 11:01, 11:02, 11:03, 11:04, 11:05, 11:06, 11:07, 11:08, 11:09, 11:10, 11:11, 11:12, 11:13, 11:14, 11:15, 11:16, 11:17, 11:18, 11:19, 11:20, 11:21, 11:22, 11:23, 11:24, 11:25, 11:26, 11:27, 11:28, 11:29, 11:30, 11:31, 11:32, 11:33, 11:34, 11:35, 11:36, 11:37, 11:38, 11:39, 11:40, 11:41, 11:42, 11:43, 11:44, 11:45, 11:46, 11:47, 11:48, 11:49, 11:50, 11:51, 11:52, 11:53, 11:54, 11:55, 11:56, 11:57, 11:58, 11:59 720

  25. joind.in/talk/0e3b7 @SammyK #zcoe18 12:00, 12:01, 12:02, 12:03, 12:04, 12:05, 12:06,

    12:07, 12:08, 12:09, 12:10, 12:11, 12:12, 12:13, 12:14, 12:15, 12:16, 12:17, 12:18, 12:19, 12:20, 12:21, 12:22, 12:23, 12:24, 12:25, 12:26, 12:27, 12:28, 12:29, 12:30, 12:31, 12:32, 12:33, 12:34, 12:35, 12:36, 12:37, 12:38, 12:39, 12:40, 12:41, 12:42, 12:43, 12:44, 12:45, 12:46, 12:47, 12:48, 12:49, 12:50, 12:51, 12:52, 12:53, 12:54, 12:55, 12:56, 12:57, 12:58, 12:59, 1:00, 1:01, 1:02, 1:03, 1:04, 1:05, 1:06, 1:07, 1:08, 1:09, 1:10, 1:11, 1:12, 1:13, 1:14, 1:15, 1:16, 1:17, 1:18, 1:19, 1:20, 1:21, 1:22, 1:23, 1:24, 1:25, 1:26, 1:27, 1:28, 1:29, 1:30, 1:31, 1:32, 1:33, 1:34, 1:35, 1:36, 1:37, 1:38, 1:39, 1:40, 1:41, 1:42, 1:43, 1:44, 1:45, 1:46, 1:47, 1:48, 1:49, 1:50, 1:51, 1:52, 1:53, 1:54, 1:55, 1:56, 1:57, 1:58, 1:59, 2:00, 2:01, 2:02, 2:03, 2:04, 2:05, 2:06, 2:07, 2:08, 2:09, 2:10, 2:11, 2:12, 2:13, 2:14, 2:15, 2:16, 2:17, 2:18, 2:19, 2:20, 2:21, 2:22, 2:23, 2:24, 2:25, 2:26, 2:27, 2:28, 2:29, 2:30, 2:31, 2:32, 2:33, 2:34, 2:35, 2:36, 2:37, 2:38, 2:39, 2:40, 2:41, 2:42, 2:43, 2:44, 2:45, 2:46, 2:47, 2:48, 2:49, 2:50, 2:51, 2:52, 2:53, 2:54, 2:55, 2:56, 2:57, 2:58, 2:59, 3:00, 3:01, 3:02, 3:03, 3:04, 3:05, 3:06, 3:07, 3:08, 3:09, 3:10, 3:11, 3:12, 3:13, 3:14, 3:15, 3:16, 3:17, 3:18, 3:19, 3:20, 3:21, 3:22, 3:23, 3:24, 3:25, 3:26, 3:27, 3:28, 3:29, 3:30, 3:31, 3:32, 3:33, 3:34, 3:35, 3:36, 3:37, 3:38, 3:39, 3:40, 3:41, 3:42, 3:43, 3:44, 3:45, 3:46, 3:47, 3:48, 3:49, 3:50, 3:51, 3:52, 3:53, 3:54, 3:55, 3:56, 3:57, 3:58, 3:59, 4:00, 4:01, 4:02, 4:03, 4:04, 4:05, 4:06, 4:07, 4:08, 4:09, 4:10, 4:11, 4:12, 4:13, 4:14, 4:15, 4:16, 4:17, 4:18, 4:19, 4:20, 4:21, 4:22, 4:23, 4:24, 4:25, 4:26, 4:27, 4:28, 4:29, 4:30, 4:31, 4:32, 4:33, 4:34, 4:35, 4:36, 4:37, 4:38, 4:39, 4:40, 4:41, 4:42, 4:43, 4:44, 4:45, 4:46, 4:47, 4:48, 4:49, 4:50, 4:51, 4:52, 4:53, 4:54, 4:55, 4:56, 4:57, 4:58, 4:59, 5:00, 5:01, 5:02, 5:03, 5:04, 5:05, 5:06, 5:07, 5:08, 5:09, 5:10, 5:11, 5:12, 5:13, 5:14, 5:15, 5:16, 5:17, 5:18, 5:19, 5:20, 5:21, 5:22, 5:23, 5:24, 5:25, 5:26, 5:27, 5:28, 5:29, 5:30, 5:31, 5:32, 5:33, 5:34, 5:35, 5:36, 5:37, 5:38, 5:39, 5:40, 5:41, 5:42, 5:43, 5:44, 5:45, 5:46, 5:47, 5:48, 5:49, 5:50, 5:51, 5:52, 5:53, 5:54, 5:55, 5:56, 5:57, 5:58, 5:59, 6:00, 6:01, 6:02, 6:03, 6:04, 6:05, 6:06, 6:07, 6:08, 6:09, 6:10, 6:11, 6:12, 6:13, 6:14, 6:15, 6:16, 6:17, 6:18, 6:19, 6:20, 6:21, 6:22, 6:23, 6:24, 6:25, 6:26, 6:27, 6:28, 6:29, 6:30, 6:31, 6:32, 6:33, 6:34, 6:35, 6:36, 6:37, 6:38, 6:39, 6:40, 6:41, 6:42, 6:43, 6:44, 6:45, 6:46, 6:47, 6:48, 6:49, 6:50, 6:51, 6:52, 6:53, 6:54, 6:55, 6:56, 6:57, 6:58, 6:59, 7:00, 7:01, 7:02, 7:03, 7:04, 7:05, 7:06, 7:07, 7:08, 7:09, 7:10, 7:11, 7:12, 7:13, 7:14, 7:15, 7:16, 7:17, 7:18, 7:19, 7:20, 7:21, 7:22, 7:23, 7:24, 7:25, 7:26, 7:27, 7:28, 7:29, 7:30, 7:31, 7:32, 7:33, 7:34, 7:35, 7:36, 7:37, 7:38, 7:39, 7:40, 7:41, 7:42, 7:43, 7:44, 7:45, 7:46, 7:47, 7:48, 7:49, 7:50, 7:51, 7:52, 7:53, 7:54, 7:55, 7:56, 7:57, 7:58, 7:59, 8:00, 8:01, 8:02, 8:03, 8:04, 8:05, 8:06, 8:07, 8:08, 8:09, 8:10, 8:11, 8:12, 8:13, 8:14, 8:15, 8:16, 8:17, 8:18, 8:19, 8:20, 8:21, 8:22, 8:23, 8:24, 8:25, 8:26, 8:27, 8:28, 8:29, 8:30, 8:31, 8:32, 8:33, 8:34, 8:35, 8:36, 8:37, 8:38, 8:39, 8:40, 8:41, 8:42, 8:43, 8:44, 8:45, 8:46, 8:47, 8:48, 8:49, 8:50, 8:51, 8:52, 8:53, 8:54, 8:55, 8:56, 8:57, 8:58, 8:59, 9:00, 9:01, 9:02, 9:03, 9:04, 9:05, 9:06, 9:07, 9:08, 9:09, 9:10, 9:11, 9:12, 9:13, 9:14, 9:15, 9:16, 9:17, 9:18, 9:19, 9:20, 9:21, 9:22, 9:23, 9:24, 9:25, 9:26, 9:27, 9:28, 9:29, 9:30, 9:31, 9:32, 9:33, 9:34, 9:35, 9:36, 9:37, 9:38, 9:39, 9:40, 9:41, 9:42, 9:43, 9:44, 9:45, 9:46, 9:47, 9:48, 9:49, 9:50, 9:51, 9:52, 9:53, 9:54, 9:55, 9:56, 9:57, 9:58, 9:59, 10:00, 10:01, 10:02, 10:03, 10:04, 10:05, 10:06, 10:07, 10:08, 10:09, 10:10, 10:11, 10:12, 10:13, 10:14, 10:15, 10:16, 10:17, 10:18, 10:19, 10:20, 10:21, 10:22, 10:23, 10:24, 10:25, 10:26, 10:27, 10:28, 10:29, 10:30, 10:31, 10:32, 10:33, 10:34, 10:35, 10:36, 10:37, 10:38, 10:39, 10:40, 10:41, 10:42, 10:43, 10:44, 10:45, 10:46, 10:47, 10:48, 10:49, 10:50, 10:51, 10:52, 10:53, 10:54, 10:55, 10:56, 10:57, 10:58, 10:59, 11:00, 11:01, 11:02, 11:03, 11:04, 11:05, 11:06, 11:07, 11:08, 11:09, 11:10, 11:11, 11:12, 11:13, 11:14, 11:15, 11:16, 11:17, 11:18, 11:19, 11:20, 11:21, 11:22, 11:23, 11:24, 11:25, 11:26, 11:27, 11:28, 11:29, 11:30, 11:31, 11:32, 11:33, 11:34, 11:35, 11:36, 11:37, 11:38, 11:39, 11:40, 11:41, 11:42, 11:43, 11:44, 11:45, 11:46, 11:47, 11:48, 11:49, 11:50, 11:51, 11:52, 11:53, 11:54, 11:55, 11:56, 11:57, 11:58, 11:59 BUT!

  26. joind.in/talk/0e3b7 @SammyK #zcoe18 12:00, 12:01, 12:02, 12:03, 12:04, 12:05, 12:06,

    12:07, 12:08, 12:09, 12:10, 12:11, 12:12, 12:13, 12:14, 12:15, 12:16, 12:17, 12:18, 12:19, 12:20, 12:21, 12:22, 12:23, 12:24, 12:25, 12:26, 12:27, 12:28, 12:29, 12:30, 12:31, 12:32, 12:33, 12:34, 12:35, 12:36, 12:37, 12:38, 12:39, 12:40, 12:41, 12:42, 12:43, 12:44, 12:45, 12:46, 12:47, 12:48, 12:49, 12:50, 12:51, 12:52, 12:53, 12:54, 12:55, 12:56, 12:57, 12:58, 12:59, 1:00, 1:01, 1:02, 1:03, 1:04, 1:05, 1:06, 1:07, 1:08, 1:09, 1:10, 1:11, 1:12, 1:13, 1:14, 1:15, 1:16, 1:17, 1:18, 1:19, 1:20, 1:21, 1:22, 1:23, 1:24, 1:25, 1:26, 1:27, 1:28, 1:29, 1:30, 1:31, 1:32, 1:33, 1:34, 1:35, 1:36, 1:37, 1:38, 1:39, 1:40, 1:41, 1:42, 1:43, 1:44, 1:45, 1:46, 1:47, 1:48, 1:49, 1:50, 1:51, 1:52, 1:53, 1:54, 1:55, 1:56, 1:57, 1:58, 1:59, 2:00, 2:01, 2:02, 2:03, 2:04, 2:05, 2:06, 2:07, 2:08, 2:09, 2:10, 2:11, 2:12, 2:13, 2:14, 2:15, 2:16, 2:17, 2:18, 2:19, 2:20, 2:21, 2:22, 2:23, 2:24, 2:25, 2:26, 2:27, 2:28, 2:29, 2:30, 2:31, 2:32, 2:33, 2:34, 2:35, 2:36, 2:37, 2:38, 2:39, 2:40, 2:41, 2:42, 2:43, 2:44, 2:45, 2:46, 2:47, 2:48, 2:49, 2:50, 2:51, 2:52, 2:53, 2:54, 2:55, 2:56, 2:57, 2:58, 2:59, 3:00, 3:01, 3:02, 3:03, 3:04, 3:05, 3:06, 3:07, 3:08, 3:09, 3:10, 3:11, 3:12, 3:13, 3:14, 3:15, 3:16, 3:17, 3:18, 3:19, 3:20, 3:21, 3:22, 3:23, 3:24, 3:25, 3:26, 3:27, 3:28, 3:29, 3:30, 3:31, 3:32, 3:33, 3:34, 3:35, 3:36, 3:37, 3:38, 3:39, 3:40, 3:41, 3:42, 3:43, 3:44, 3:45, 3:46, 3:47, 3:48, 3:49, 3:50, 3:51, 3:52, 3:53, 3:54, 3:55, 3:56, 3:57, 3:58, 3:59, 4:00, 4:01, 4:02, 4:03, 4:04, 4:05, 4:06, 4:07, 4:08, 4:09, 4:10, 4:11, 4:12, 4:13, 4:14, 4:15, 4:16, 4:17, 4:18, 4:19, 4:20, 4:21, 4:22, 4:23, 4:24, 4:25, 4:26, 4:27, 4:28, 4:29, 4:30, 4:31, 4:32, 4:33, 4:34, 4:35, 4:36, 4:37, 4:38, 4:39, 4:40, 4:41, 4:42, 4:43, 4:44, 4:45, 4:46, 4:47, 4:48, 4:49, 4:50, 4:51, 4:52, 4:53, 4:54, 4:55, 4:56, 4:57, 4:58, 4:59, 5:00, 5:01, 5:02, 5:03, 5:04, 5:05, 5:06, 5:07, 5:08, 5:09, 5:10, 5:11, 5:12, 5:13, 5:14, 5:15, 5:16, 5:17, 5:18, 5:19, 5:20, 5:21, 5:22, 5:23, 5:24, 5:25, 5:26, 5:27, 5:28, 5:29, 5:30, 5:31, 5:32, 5:33, 5:34, 5:35, 5:36, 5:37, 5:38, 5:39, 5:40, 5:41, 5:42, 5:43, 5:44, 5:45, 5:46, 5:47, 5:48, 5:49, 5:50, 5:51, 5:52, 5:53, 5:54, 5:55, 5:56, 5:57, 5:58, 5:59, 6:00, 6:01, 6:02, 6:03, 6:04, 6:05, 6:06, 6:07, 6:08, 6:09, 6:10, 6:11, 6:12, 6:13, 6:14, 6:15, 6:16, 6:17, 6:18, 6:19, 6:20, 6:21, 6:22, 6:23, 6:24, 6:25, 6:26, 6:27, 6:28, 6:29, 6:30, 6:31, 6:32, 6:33, 6:34, 6:35, 6:36, 6:37, 6:38, 6:39, 6:40, 6:41, 6:42, 6:43, 6:44, 6:45, 6:46, 6:47, 6:48, 6:49, 6:50, 6:51, 6:52, 6:53, 6:54, 6:55, 6:56, 6:57, 6:58, 6:59, 7:00, 7:01, 7:02, 7:03, 7:04, 7:05, 7:06, 7:07, 7:08, 7:09, 7:10, 7:11, 7:12, 7:13, 7:14, 7:15, 7:16, 7:17, 7:18, 7:19, 7:20, 7:21, 7:22, 7:23, 7:24, 7:25, 7:26, 7:27, 7:28, 7:29, 7:30, 7:31, 7:32, 7:33, 7:34, 7:35, 7:36, 7:37, 7:38, 7:39, 7:40, 7:41, 7:42, 7:43, 7:44, 7:45, 7:46, 7:47, 7:48, 7:49, 7:50, 7:51, 7:52, 7:53, 7:54, 7:55, 7:56, 7:57, 7:58, 7:59, 8:00, 8:01, 8:02, 8:03, 8:04, 8:05, 8:06, 8:07, 8:08, 8:09, 8:10, 8:11, 8:12, 8:13, 8:14, 8:15, 8:16, 8:17, 8:18, 8:19, 8:20, 8:21, 8:22, 8:23, 8:24, 8:25, 8:26, 8:27, 8:28, 8:29, 8:30, 8:31, 8:32, 8:33, 8:34, 8:35, 8:36, 8:37, 8:38, 8:39, 8:40, 8:41, 8:42, 8:43, 8:44, 8:45, 8:46, 8:47, 8:48, 8:49, 8:50, 8:51, 8:52, 8:53, 8:54, 8:55, 8:56, 8:57, 8:58, 8:59, 9:00, 9:01, 9:02, 9:03, 9:04, 9:05, 9:06, 9:07, 9:08, 9:09, 9:10, 9:11, 9:12, 9:13, 9:14, 9:15, 9:16, 9:17, 9:18, 9:19, 9:20, 9:21, 9:22, 9:23, 9:24, 9:25, 9:26, 9:27, 9:28, 9:29, 9:30, 9:31, 9:32, 9:33, 9:34, 9:35, 9:36, 9:37, 9:38, 9:39, 9:40, 9:41, 9:42, 9:43, 9:44, 9:45, 9:46, 9:47, 9:48, 9:49, 9:50, 9:51, 9:52, 9:53, 9:54, 9:55, 9:56, 9:57, 9:58, 9:59, 10:00, 10:01, 10:02, 10:03, 10:04, 10:05, 10:06, 10:07, 10:08, 10:09, 10:10, 10:11, 10:12, 10:13, 10:14, 10:15, 10:16, 10:17, 10:18, 10:19, 10:20, 10:21, 10:22, 10:23, 10:24, 10:25, 10:26, 10:27, 10:28, 10:29, 10:30, 10:31, 10:32, 10:33, 10:34, 10:35, 10:36, 10:37, 10:38, 10:39, 10:40, 10:41, 10:42, 10:43, 10:44, 10:45, 10:46, 10:47, 10:48, 10:49, 10:50, 10:51, 10:52, 10:53, 10:54, 10:55, 10:56, 10:57, 10:58, 10:59, 11:00, 11:01, 11:02, 11:03, 11:04, 11:05, 11:06, 11:07, 11:08, 11:09, 11:10, 11:11, 11:12, 11:13, 11:14, 11:15, 11:16, 11:17, 11:18, 11:19, 11:20, 11:21, 11:22, 11:23, 11:24, 11:25, 11:26, 11:27, 11:28, 11:29, 11:30, 11:31, 11:32, 11:33, 11:34, 11:35, 11:36, 11:37, 11:38, 11:39, 11:40, 11:41, 11:42, 11:43, 11:44, 11:45, 11:46, 11:47, 11:48, 11:49, 11:50, 11:51, 11:52, 11:53, 11:54, 11:55, 11:56, 11:57, 11:58, 11:59 • Session started at 4:00 pm PDT • That was on slide #23 • If you timed my rehearsals…

  27. joind.in/talk/0e3b7 @SammyK #zcoe18 11 random? What makes a number

  28. joind.in/talk/0e3b7 @SammyK #zcoe18 2, 4, 6, 8, __ 10

  29. joind.in/talk/0e3b7 @SammyK #zcoe18 1337, 42, 0, _ ?

  30. joind.in/talk/0e3b7 @SammyK #zcoe18 1337, 42, 0, 1337, 42, 0, 1337,

    __ 42

  31. joind.in/talk/0e3b7 @SammyK #zcoe18 Random? What is isn’t Deterministic

  32. joind.in/talk/0e3b7 @SammyK #zcoe18 “True” Random Measurement of atmospheric noise Count

    of the number of electrons coming off of a radioactive material
  33. None

  34. joind.in/talk/0e3b7 @SammyK #zcoe18 Can I haz random number?

  35. joind.in/talk/0e3b7 @SammyK #zcoe18

  36. joind.in/talk/0e3b7 @SammyK #zcoe18

  37. joind.in/talk/0e3b7 @SammyK #zcoe18 *sigh* Take this. 42

  38. joind.in/talk/0e3b7 @SammyK #zcoe18

  39. joind.in/talk/0e3b7 @SammyK #zcoe18 0

  40. joind.in/talk/0e3b7 @SammyK #zcoe18 2,4,8, 7,5,1 ?

  41. joind.in/talk/0e3b7 @SammyK #zcoe18 Number Generator …or “PRNG” for short Pseudorandom

  42. joind.in/talk/0e3b7 @SammyK #zcoe18 Pseudorandom? How’s that different than just random?

    Deterministic

  43. joind.in/talk/0e3b7 @SammyK #zcoe18 2,4,8, 7,5,1 Generator Linear Congruential

  44. joind.in/talk/0e3b7 @SammyK #zcoe18 Generator Linear Congruential

  45. joind.in/talk/0e3b7 @SammyK #zcoe18

  46. joind.in/talk/0e3b7 @SammyK #zcoe18 The modulus The multiplier The increment The

    seed

  47. joind.in/talk/0e3b7 @SammyK #zcoe18

  48. joind.in/talk/0e3b7 @SammyK #zcoe18

  49. joind.in/talk/0e3b7 @SammyK #zcoe18 2,4,8, 7,5,

  50. joind.in/talk/0e3b7 @SammyK #zcoe18 2,4,8, 7,5, Deterministic

  51. joind.in/talk/0e3b7 @SammyK #zcoe18 https://xkcd.com/221/

  52. joind.in/talk/0e3b7 @SammyK #zcoe18

  53. joind.in/talk/0e3b7 @SammyK #zcoe18

  54. joind.in/talk/0e3b7 @SammyK #zcoe18 8,7,5, 1,2,

  55. joind.in/talk/0e3b7 @SammyK #zcoe18 1,2,4, 8,7, BUT!

  56. joind.in/talk/0e3b7 @SammyK #zcoe18

  57. 5,1,2,4,8,7,5, 1,2,4,8,7,5,1, 2,4,8,7,5,1,2, 4,8,7,5,1,2,4, 8,7,5,1,2,4,8, 7,5,1,2,4, Predictable Period: 6

  58. joind.in/talk/0e3b7 @SammyK #zcoe18 LCG lcg_value() PHP has a combined

  59. joind.in/talk/0e3b7 @SammyK #zcoe18 PRNG? Is there a better

  60. joind.in/talk/0e3b7 @SammyK #zcoe18 Twister Mersenne mt_rand()

  61. joind.in/talk/0e3b7 @SammyK #zcoe18

  62. mt_rand() 724937621,955931554,1407935661,821438740,109344 9922,603009103,1540988686,1028238631,798475733, 1057939018,671583233,1853117923,98760648,112245 3373,534404057,900958085,1712824654,476385742,2 9956470,362833620,424798798,746223917,942003531 ,320462445,673296853,1351199651,141566289,16454 09515,995047403,1216151582,1115999460,175322091 7,1312071810,1553254094,1622498991,2080099801,1 704834715,1537620663,1357630828,1317892558,

    219,937-1

  63. joind.in/talk/0e3b7 @SammyK #zcoe18

  64. mt_rand(0,99) 83,9,64,28,62,48,83,47,46,53,37,26,21,91,61,32,58,1,89,60,65,97,42,56,6,47,76,1 2,98,11,36,61,62,60,43,67,6,16,73,15,39,38,56,19,66,56,98,72,91,24,57,94,8,26,7 3,55,17,14,84,89,39,11,13,48,71,98,89,63,9,95,74,9,81,85,97,24,14,14,77,22,96,4 3,61,91,61,58,19,71,8,49,18,92,38,34,9,36,91,59,14,4,58,59,29,74,52,41,36,67,82 ,67,11,0,58,51,37,4,45,56,35,50,78,91,27,39,80,27,28,95,2,82,51,72,27,41,43,74, 7,82,59,89,72,9,22,61,75,27,64,16,77,57,31,29,59,47,14,67,89,33,94,33,94,22,11, 62,9,13,61,45,78,29,3,11,99,91,52,79,63,64,43,99,53,22,16,10,53,57,15,84,16,30, 17,10,3,35,0,45,83,11,70,66,37,14,59,41,46,52,53,53,62,56,41,82,40,99,8,92,96,2 2,22,43,35,60,45,77,26,96,45,51,62,77,64,23,52,17,17,97,93,57,43,56,45,62,42,24

    ,62,1,59,38,70,13,34,32,48,47,1,42,48,18,2,59,47,53,10,3,66,68,93,4,53,85,20,77 ,63,43,45,16,15,77,73,89,11,64,76,30,46,91,1,85,96,19,63,70,62,35,58,95,63,38,7 8,83,8,97,22,2,28,51,25,29,98,62,74,59,95,79,74,66,47,35,83,56,49,25,32,25,46,1 3,69,77,30,94,24,31,68,23,64,47,28,33,65,69,16,0,98,37,85,93,60,24,10,54,50,42, 64,11,9,13,15,84,3,23,73,83,83,72,9,2,28,23,90,73,2,47,45,93,4,32,25,75,61,98,7 3,79,66,23,20,83,11,45,67,40,39,45,0,65,40,78,74,8,79,86,38,10,87,60,99,30,35,5 0,16,29,24,19,29,16,40,57,87,26,90,1,63,63,34,44,8,36,25,38,50,10,15,17,14,40,6 ,53,88,18,36,46,69,2,13,0,83,59,92,59,34,34,24,40,99,41,6,79,65,98,9,36,31,8,4, 89,98,91,80,42,10,26,72,40,50,39,25,33,45,24,70,54,89,91,53,23,12,20,40,21,25,5 5,48,11,3,84,42,5,7,21,58,85,18,52,92,94,69,20,49,3,8,55,57,4,38,52,37,64,55,82 ,98,5,75,84,35,14,99,74,23,41,69,55,53,22,52,6,68,35,38,73,52,22,52,86,79,15,38 ,3,20,99,36,23,77,33,80,16,97,54,88,11,77,77,99,70,26,5,75,87,4,23,8,50,79,61,5 5,80,25,58,79,25,56,9,81,6,42,27,90,58,6,62,74,25,79,81,61,23,54,92,53,16,66,22 ,49,77,97,84,25,49,32,49,65,51,1,93,63,68,69,67,10,44,99,44,42,89,35,24, 624 = busted

  65. echo mt_rand(0,99); 11

  66. echo mt_rand(0,99); 9

  67. echo mt_rand(0,99); 60

  68. mt_srand(10); echo mt_rand(0,99); 21

  69. mt_srand(10); echo mt_rand(0,99); 21

  70. mt_srand(10); echo mt_rand(0,99); 21

  71. None

  72. joind.in/talk/0e3b7 @SammyK #zcoe18 Good randomness can be Deterministic (e.g. games)

  73. joind.in/talk/0e3b7 @SammyK #zcoe18

  74. joind.in/talk/0e3b7 @SammyK #zcoe18

  75. joind.in/talk/0e3b7 @SammyK #zcoe18

  76. joind.in/talk/0e3b7 @SammyK #zcoe18 AKA “Seed”

  77. joind.in/talk/0e3b7 @SammyK #zcoe18

  78. joind.in/talk/0e3b7 @SammyK #zcoe18

  79. joind.in/talk/0e3b7 @SammyK #zcoe18 deterministic randomness is contexts In cryptographic really,

    really, really, really objectively…

  80. joind.in/talk/0e3b7 @SammyK #zcoe18 BAD

  81. joind.in/talk/0e3b7 @SammyK #zcoe18 CSRF Take for example Tokens

  82. joind.in/talk/0e3b7 @SammyK #zcoe18 Cross-site request forgery (CSRF) tokens help prevent

    unauthorized requests on a user’s behalf.

  83. joind.in/talk/0e3b7 @SammyK #zcoe18 A CSRF token must be unique and

    unpredictable. *don’t do this

  84. joind.in/talk/0e3b7 @SammyK #zcoe18

  85. joind.in/talk/0e3b7 @SammyK #zcoe18

  86. joind.in/talk/0e3b7 @SammyK #zcoe18

  87. joind.in/talk/0e3b7 @SammyK #zcoe18 I’ll just let PHP seed mt_rand() for

    me. Bad idea jeans *Old SNL skit reference

  88. joind.in/talk/0e3b7 @SammyK #zcoe18

  89. joind.in/talk/0e3b7 @SammyK #zcoe18 What about rand() you ask?

  90. joind.in/talk/0e3b7 @SammyK #zcoe18 Nope

  91. joind.in/talk/0e3b7 @SammyK #zcoe18 rand() mt_rand() …in PHP 7.0 & below

  92. joind.in/talk/0e3b7 @SammyK #zcoe18 rand() Uses the system PRNG (unreliable &

    inconsistent) Is a PRNG (totes predictable) Uniform distribution issues

  93. joind.in/talk/0e3b7 @SammyK #zcoe18 Uniform Distribution

  94. joind.in/talk/0e3b7 @SammyK #zcoe18 0 0.05 0.1 0.15 0.2 1 2

    3 4 5 6

  95. joind.in/talk/0e3b7 @SammyK #zcoe18 0 0.1 0.2 0.3 0.4 1 2

    3 4 5 6

  96. joind.in/talk/0e3b7 @SammyK #zcoe18 Uniform Distribution == True Random

  97. joind.in/talk/0e3b7 @SammyK #zcoe18 mt_rand() Implements the MT algorithm incorrectly Is

    a PRNG (totes predictable) Has a modulo bias

  98. joind.in/talk/0e3b7 @SammyK #zcoe18 Modulo Bias

  99. joind.in/talk/0e3b7 @SammyK #zcoe18 6 % 3 = 0 8 %

    3 = 2 Modulo Operator

  100. joind.in/talk/0e3b7 @SammyK #zcoe18 Random # between 0 & 1 n

    % 2 = 0 or 1 Use mod 2

  101. joind.in/talk/0e3b7 @SammyK #zcoe18 rand_src() = 1, 2, or 3 2

    % 2 = 0 3 % 2 = 1 1 is more likely 1 % 2 = 1

  102. joind.in/talk/0e3b7 @SammyK #zcoe18 rand() mt_rand() …in PHP 7.1 & above

  103. joind.in/talk/0e3b7 @SammyK #zcoe18 mt_rand() Fixes bug in MT algorithm implementation

    Is a PRNG (totes predictable)

  104. joind.in/talk/0e3b7 @SammyK #zcoe18 They’re totes samezies! rand() mt_rand() ===

  105. joind.in/talk/0e3b7 @SammyK #zcoe18

  106. joind.in/talk/0e3b7 @SammyK #zcoe18 rand() mt_rand() Both suffer from modulo bias

    &

  107. joind.in/talk/0e3b7 @SammyK #zcoe18 Seeds aren’t impossible to predict

  108. joind.in/talk/0e3b7 @SammyK #zcoe18 Entropy *Could be it’s own talk

  109. joind.in/talk/0e3b7 @SammyK #zcoe18 A measure of how accurately we’re able

    to predict the next value in a sequence.* * oversimplification

  110. joind.in/talk/0e3b7 @SammyK #zcoe18 High entropy harder to predict Low entropy

    easier to predict

  111. joind.in/talk/0e3b7 @SammyK #zcoe18 High entropy harder to predict Good for

    random number generation

  112. joind.in/talk/0e3b7 @SammyK #zcoe18 Cryptographically Pseudorandom Secure Number Generator

  113. joind.in/talk/0e3b7 @SammyK #zcoe18 CSPRNG or…

  114. joind.in/talk/0e3b7 @SammyK #zcoe18 “See Spring” or…

  115. Unicorn Magical

  116. Uses seeds that are really really really really ridiculously hard

    to guess

  117. joind.in/talk/0e3b7 @SammyK #zcoe18 High Entropy wee!

  118. joind.in/talk/0e3b7 @SammyK #zcoe18 impossible It’s values are to predict in

    practice 42 82 Suitable for use in cryptographic contexts.

  119. mythical Where can we find this creature?

  120. joind.in/talk/0e3b7 @SammyK #zcoe18 CSPRNG options in 5.x

  121. joind.in/talk/0e3b7 @SammyK #zcoe18 openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/urandom

  122. joind.in/talk/0e3b7 @SammyK #zcoe18 openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/urandom

  123. joind.in/talk/0e3b7 @SammyK #zcoe18

  124. joind.in/talk/0e3b7 @SammyK #zcoe18 TAKE_ to_live TAKE_ to_lie

  125. joind.in/talk/0e3b7 @SammyK #zcoe18 TAKE_ to_lie 5.6.11

  126. joind.in/talk/0e3b7 @SammyK #zcoe18 5.6.12 TAKE_ to_live

  127. Fails open

  128. joind.in/talk/0e3b7 @SammyK #zcoe18 FALSE Can return

  129. joind.in/talk/0e3b7 @SammyK #zcoe18 empty string Can be

  130. joind.in/talk/0e3b7 @SammyK #zcoe18 Still not done!

  131. joind.in/talk/0e3b7 @SammyK #zcoe18 WRONG Easy to get

  132. joind.in/talk/0e3b7 @SammyK #zcoe18 Worse It gets

  133. joind.in/talk/0e3b7 @SammyK #zcoe18 Since the UNIX fork() system call duplicates

    the entire process state, a random number generator which does not take this issue into account will produce the same sequence of random numbers in both the parent and the child […], leading to cryptographic disaster… https://wiki.openssl.org/index.php/Random_fork-safety

  134. joind.in/talk/0e3b7 @SammyK #zcoe18 OpenSSL’s be like 42 CSPRNG 82 82

  135. joind.in/talk/0e3b7 @SammyK #zcoe18 OpenSSL cannot fix the fork-safety problem because

    its not in a position to do so. However, there are [solutions] available and they are listed below. https://wiki.openssl.org/index.php/Random_fork-safety

  136. joind.in/talk/0e3b7 @SammyK #zcoe18 Don't use RAND_bytes https://wiki.openssl.org/index.php/Random_fork-safety

  137. joind.in/talk/0e3b7 @SammyK #zcoe18 Instead, you can read directly from /dev/random,

    /dev/urandom or /dev/srandom; or use CryptGenRandom on Windows systems. https://wiki.openssl.org/index.php/Random_fork-safety

  138. joind.in/talk/0e3b7 @SammyK #zcoe18 Status update! v1.1.1 (2018-09-11)

  139. joind.in/talk/0e3b7 @SammyK #zcoe18 mcrypt_create_iv() /dev/urandom openssl_random_pseudo_bytes()

  140. Fails open

  141. joind.in/talk/0e3b7 @SammyK #zcoe18

  142. joind.in/talk/0e3b7 @SammyK #zcoe18

  143. joind.in/talk/0e3b7 @SammyK #zcoe18

  144. joind.in/talk/0e3b7 @SammyK #zcoe18 /dev/urandom openssl_random_pseudo_bytes() mcrypt_create_iv()

  145. joind.in/talk/0e3b7 @SammyK #zcoe18 open_basedir=/foo/dir

  146. joind.in/talk/0e3b7 @SammyK #zcoe18 openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/urandom

  147. joind.in/talk/0e3b7 @SammyK #zcoe18 CSPRNG New goodness 7

  148. joind.in/talk/0e3b7 @SammyK #zcoe18 CSPRNG random_int() random_bytes()

  149. random_int(0,99) 6,17,6,9,17,53,58,98,46,44,62,9,76,65,46,21,42,5,65,34,11,96,85,7,46,89,98,9,9, 80,8,76,87,18,24,68,16,61,27,39,30,32,4,83,83,23,96,27,13,47,6,99,16,40,2,75,27 ,3,79,68,75,60,50,70,63,17,75,29,79,57,9,48,18,86,95,25,40,52,20,86,6,48,94,27, 76,14,9,27,62,14,68,58,12,18,63,19,84,47,7,13,63,28,66,55,2,75,44,92,11,85,51,1 7,42,57,22,4,53,7,3,76,48,55,95,7,45,33,87,36,11,17,66,6,46,87,57,48,22,31,65,5 ,26,10,47,82,97,74,25,32,63,60,29,53,13,24,56,54,52,86,67,4,94,35,48,73,35,45,2 4,74,74,83,49,70,41,49,20,60,29,49,30,35,38,63,4,86,72,97,26,22,36,95,59,94,24, 89,73,46,14,73,51,93,93,39,13,80,9,30,24,20,30,63,20,64,97,29,7,2,82,96,42,61,5 3,28,49,12,90,71,58,72,63,49,32,69,76,50,62,88,31,26,72,79,19,15,3,39,27,80,16,

    65,62,53,82,59,23,85,95,41,68,86,3,92,76,91,88,12,20,96,14,35,50,94,24,23,44,55 ,78,65,81,7,1,86,32,58,46,97,43,78,9,51,1,6,79,73,49,13,40,21,90,14,9,70,95,88, 37,85,14,7,29,42,55,81,46,39,41,45,81,11,93,26,89,4,98,35,30,36,74,97,18,85,97, 23,52,64,88,20,89,12,25,19,21,21,50,60,50,43,84,1,52,5,19,2,86,38,51,48,30,55,9 0,93,97,52,84,29,58,96,78,37,24,14,72,81,9,82,26,83,83,17,35,15,9,87,95,51,71,4 8,9,45,13,61,98,3,18,96,99,28,74,47,58,71,89,68,57,51,86,90,38,21,72,72,30,22,1 3,88,25,48,45,62,59,81,32,10,54,82,60,90,17,98,41,73,98,60,22,99,66,32,41,82,62 ,91,3,85,91,21,17,98,19,48,50,24,67,3,14,62,55,35,99,95,83,76,12,51,77,61,24,24 ,60,15,31,47,24,27,97,98,70,6,24,25,20,23,67,72,55,47,19,53,50,38,22,76,37,63,8 2,67,52,3,75,84,84,71,49,79,26,89,11,77,55,92,32,81,38,23,54,9,40,80,75,20,7,58 ,37,72,75,59,46,32,41,82,90,72,59,5,42,2,94,44,44,4,15,37,29,24,10,51,18,8,42,5 6,9,68,31,99,7,77,59,8,74,80,11,15,93,81,5,72,44,49,39,25,4,18,98,0,93,42,78,36 ,57,47,16,49,2,85,6,31,17,81,10,54,40,95,68,31,80,29,41,86,32,9,58,96,62,79,25, 6,45,56,54,0,61,74,90,12,34,11,56,3,41,39,84,32,30,42,81,36,43,5,

  150. joind.in/talk/0e3b7 @SammyK #zcoe18 bin2hex(random_bytes(16)) f7f5289027cb6c5116d 2d3cc78e5819c

  151. Fails Closed

  152. joind.in/talk/0e3b7 @SammyK #zcoe18 You’re not strong until you’re crypto-strong!

  153. CSPRNG under the hood

  154. None

  155. joind.in/talk/0e3b7 @SammyK #zcoe18 On Windows: CryptGenRandom On BSD: arc4random_buf() On

    Linux: getrandom(2) syscall Read directly from /dev/urandom

  156. joind.in/talk/0e3b7 @SammyK #zcoe18 /dev/urandom So what is this thing?

  157. /dev/urandom Gathers environmental noise from the system like… …device drivers,

    inter-keyboard timings, inter-interrupt timings from some interrupts, and other events which are both (a) non-deterministic and (b) hard for an outside observer to measure. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/char/random.c

  158. joind.in/talk/0e3b7 @SammyK #zcoe18 CSPRNG random_bytes() random_int() 7 /dev/urandom Powered by

  159. joind.in/talk/0e3b7 @SammyK #zcoe18 Still on 5.x? paragonie/random_compat Polyfill for PHP

    7 CSPRNG

  160. joind.in/talk/0e3b7 @SammyK #zcoe18 http://php.net/supported-versions.php 5.6 EOL in 75 days

  161. joind.in/talk/0e3b7 @SammyK #zcoe18 http://php.net/supported-versions.php 7.0 EOL in 47 days

  162. joind.in/talk/0e3b7 @SammyK #zcoe18 FAQ’s

  163. joind.in/talk/0e3b7 @SammyK #zcoe18 Benchmarks* * are lies

  164. joind.in/talk/0e3b7 @SammyK #zcoe18 If random_bytes() random_int() are… …why not update

    mt_rand()

  165. joind.in/talk/0e3b7 @SammyK #zcoe18

  166. joind.in/talk/0e3b7 @SammyK #zcoe18

  167. joind.in/talk/0e3b7 @SammyK #zcoe18 TL;DR Never use LCG, MT, or any

    other PRNG in cryptographic contexts Only use a CSPRNG like /dev/urandom for crypto Use random_bytes() & random_int() in PHP (or install paragonie/random_compat)

  168. joind.in/talk/0e3b7 @SammyK #zcoe18 More Resources

  169. joind.in/talk/0e3b7 @SammyK #zcoe18 Recommendation for the Entropy Sources Used for

    Random Bit Generation Final Draft - NIST SP 800-90B https://csrc.nist.gov/publications/detail/sp/800-90b/final

  170. joind.in/talk/0e3b7 @SammyK #zcoe18 New & improved man pages for /dev/urandom

    http://man7.org/linux/man-pages/man7/random.7.html

  171. joind.in/talk/0e3b7 @SammyK #zcoe18 Myths about /dev/urandom Thomas Hühn https://www.2uo.de/myths-about-urandom/ With

    pretty pictures!

  172. joind.in/talk/0e3b7 @SammyK #zcoe18 Cracking Random Number Generators Three-part blog post

    series James Roper https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html

  173. joind.in/talk/0e3b7 @SammyK #zcoe18 How I Met Your Girlfriend DEF CON

    18 Samy Kamkar https://www.youtube.com/watch?v=fWk_rMQiDGc

  174. joind.in/talk/0e3b7 @SammyK #zcoe18 Weak RNG in PHP session ID generation

    leads to session hijacking Andreas Bogk http://seclists.org/fulldisclosure/2010/Mar/519

  175. joind.in/talk/0e3b7 @SammyK #zcoe18 Sammy Kaye Powers Thanks! /talk/0e3b7 @SammyK SammyK.me

    Host of @PHPRoundtable