在PHP中解决不安全随机数生成问题 [英] Address insecure random number generation in PHP
问题描述
我的问题 - 这是一个严重的问题吗?如何在PHP中修复?
谢谢。
这个问题的答案完全取决于你使用rand()调用的结果。
如果您使用它们来加密密钥,那么工具的安全性取决于随机数的随机性,那么,这是一个严重的关心。在这种情况下,您不应该调用rand()或mt_rand(),因为它们都不会产生足够随机的依赖密码使用的随机数字。您真的想利用您运行在Unix / Linux系统上的底层伪随机数生成器(PRNG) - / dev / urandom上的平台或Windows系统上的crypto-api,因为这些平台已被广泛研究并生成真正的随机数适用于密码系统。 PHP不会使访问这些随机源变得容易,但是例子确实存在如何这样做(像这样 - > http://www.php.net/manual/en/function.mt-rand.php#83655 )。
如果您正在使用随机的其他东西,就像随机化首先向用户呈现哪个选项,或者类似的选项,生成的数字不会以任何加密方式使用,那么您可能可以使用rand()或mt_rand()去掉。但是,如果您的应用程序/模块依赖于良好的随机数来获得安全性,那么您真的需要利用操作系统源,如上所述。
we are running Fortify scans on various Drupal modules, and a common critical/high result is "Insecure Randomness". It states that the rand() function cannot withstand a cryptographic attack.
My question - is this a serious concern? How to fix it in PHP?
Thank you.
The answer to this question entirely depends on what you are using the results from the rand() call for.
If you're using them for things like cryptographic keys, where the security of the tool depends on the randomness of your random numbers, then, yes, this is a serious concern. In that case, you should not call rand() or mt_rand(), as both do not produce "random" numbers that are sufficiently random to rely on for cryptographic use. You really want to make use of the platform you're running on's underlying pseudorandom number generator (PRNG) - /dev/urandom on a Unix/Linux system or the crypto-api on a Windows system - as these have been studied extensively and produce really random numbers that are suitable for use in cryptosystems. PHP doesn't make accessing these random sources all that easy, but examples do exist on how to do so (like this -> http://www.php.net/manual/en/function.mt-rand.php#83655).
If you're using randoms for something else, like to randomize which option is presented to the user first, or something like that, where the numbers produced are not being used in any cryptographical way, then you may be able to get away with using rand() or mt_rand(). But, if your applications/modules rely on good random numbers for their security, you really need to take advantage of the OS sources, as described above.
这篇关于在PHP中解决不安全随机数生成问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
