RE: [PHP-DEV] More powerful (and backward compatible) API of random number generator functions
First, I want to ask: Does anyone else think we should draw a distinction between RNGs and CSPRNGs?
I ask this because the OpenSSL option here is the only CSPRNG; The others are trivially breakable
and should not be used for cryptographic applications. I could see an argument for wanting to use
them in non-security contexts but I'm wondering if the API should make it clear when that is
being done.
Secondly, a good place to look for defining a standard secure CSPRNG is FIPS 1402 Annex C
(csrc.nist.gov/publications/fips/fips140-2/fips1402annexc.pdf)
Bryan
-----Original Message-----
From: Marc Bennewitz [mailto:[email protected]]
Sent: Friday, August 30, 2013 2:59 PM
To: [email protected]
Subject: Re: [PHP-DEV] More powerful (and backward compatible) API of random number generator
functions
Am 30.08.2013 04:30, schrieb Yasuo Ohgaki:
> On Thu, Aug 29, 2013 at 9:00 PM, Ángel González <[email protected]> wrote:
>
>> Marc Bennewitz wrote:
>>
>>> Idea for an RFC for a more powerful (and backward compatible) API of
>>> random number generator functions.
>>>
>>> The following psaudocode is self explained (hopfully)
>>>
>>> const RAND_ALGO_LIBC
>>> const RAND_ALGO_MERSENNE_TWISTER
>>> const RAND_ALGO_OPENSSL
>>> const RAND_ALGO_GMP
>>>
>> (...)
>>
>>> What do you think?
>>>
>>
>> Why do you want them?
>
>
> This proposal is good because we need the best random function
> available in a system with easy to use API. I would like to see the
> best algorithm in a system as default.
>
Defining the "best" algorithm as the standard default would be great but what is the best
algorithm? Some are fast but less secure and other are more secure but slow.
Some times ago i read a feature request to implement the mersenne twister algorithm for
rand/shuffle/array_rand but this was closed because it would be a bc break. (can't find it
new).
Best Regards
Marc
--
PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Thread (12 messages)