This article mainly introduces the CSPRNG function in PHP. Interested friends can refer to it. I hope it will be helpful to everyone.
1. What is CSPRNG
Quoting Wikipedia, a cryptographically secure pseudo-random number generator (Cryptographically Secure Pseudorandom Number Generator, abbreviated CSPRNG) is a pseudo-random number generator. Random number generator (PRNG), which generates pseudo-random numbers suitable for cryptographic algorithms.
CSPRNG may be mainly used for:
Key generation (for example, generating complex keys)
Generate random passwords for new users
Encryption system
Get A key aspect of high-level security is high-quality randomness
2. CSPRNG in PHP7
PHP 7 introduces two new functions that can be used to implement CSPRNG: random_bytes and random_int.
random_bytes function returns a string and accepts an int input parameter representing the number of bytes of the returned result.
Example:
$bytes = random_bytes('10'); var_dump(bin2hex($bytes)); //possible ouput: string(20) "7dfab0af960d359388e6"
random_int function returns an int number within the specified range.
Example:
var_dump(random_int(1, 100)); //possible output: 27
##3. Background running environment
The randomness of the above functions varies depending on the environment:On windows, CryptGenRandom() is always used.
On other platforms, arc4random_buf() will be used if available (established on BSD series or systems with libbsd)
If none of the above is true, a Linux system call getrandom(2) will be used.
If not, /dev/urandom will be used as the last available tool
If none of the above works, the system will throw an error
A good random number generation system ensures appropriate generation "quality". To check this quality, a series of statistical tests are usually performed. Without delving into complex statistics topics, comparing a known behavior to the results of a number generator can help with quality assessment.
A simple test is the dice game. Assume that the probability of rolling a dice once to get a result of 6 is 1/6, then if I roll 3 dice at the same time 100 times, the result will be roughly as follows:
0 6 = 57.9 times
1 6 = 34.7 times 2 6s = 6.9 times
3 6s = 0.5 times
The following is the code to implement rolling dice 1,000,000 times:
$times = 1000000; $result = []; for ($i=0; $i<$times; $i++){ $dieRoll = array(6 => 0); //initializes just the six counting to zero $dieRoll[roll()] += 1; //first die $dieRoll[roll()] += 1; //second die $dieRoll[roll()] += 1; //third die $result[$dieRoll[6]] += 1; //counts the sixes } function roll(){ return random_int(1,6); } var_dump($result);
Using PHP7's random_int and simple rand function may get the following results
If you see rand and random_int first, more For a good comparison we can apply a formula and plot the results on a graph. The formula is: (php result-expected result)/expected result raised to the 0.5 power.
The result graph is as follows:
(values close to 0 are better)
Although the results of 3 6's do not perform well, and This test is too simple for practical applications. We can still see that random_int performs better than rand.
Furthermore, the security level of our application is due to the unpredictability and repeatable behavior of the random number generator. promote.
Summary: The above is the entire content of this article, I hope it will be helpful to everyone's study.
Related recommendations:
Execution Cycle Example Analysis of PHP Principles
##Detailed explanation of PHP source code directory structure and function description
##
The above is the detailed content of CSPRNG function in PHP. For more information, please follow other related articles on the PHP Chinese website!