On Fri, Feb 7, 2014 at 12:25 PM, Pierre Joye <[email protected]> wrote:
> hi,
>
> There are a lot of additions and discussions about entropy source and
> (P)RNG lately.
>
> PHP already has a ini setting to define a strong entropy source for
> the session module, which defaults to urandom or arandom.
>
> I would like to create two settings to unify the entropy source
> accross php functions. That includes mcrypt, new password APIs,
> session, LCG, etc.
>
> Something along this line:
>
> random.entropy_strong_source (/dev/(u|a)random etc.)
> random.entropy_crypto_source (/dev/random etc.)
>
> I am not willing to propose new RNG functions or extensions for 5.6 as
> we have way too little time to actually discuss its design and APIs.
> However having these settings unified and documented would be a good
> step forward already.
>
To clarify what this proposal does (from otr discussion with Pierre):
* openssl_pseudo_random_bytes - not changed
* mcrypt_create_iv($n, MCRYPT_DEV_RANDOM) - uses crypto_source instead of
/dev/random
* mcrypt_create_iv($n, MCRYPT_DEV_URANDOM) - uses strong_source instead of
/dev/urandom
* mcrypt_create_iv($n, MCRYPT_RAND) - not changed
* password_hash() - uses strong_source
* session ID - uses strong_source
* lcg_value, rand, mt_rand - not changed
Hope everything is correct :)
Nikita