Matthew Kerwin :: Blog

PseudoRandom Number Generator

My new web host uses the Suhosin PHP Hardening extension. This is all very well and good, and I appreciate the extra security I suppose it affords my site. Unfortunately, two options my host uses (suhosin.srand.ignore and suhosin.mt_srand.ignore) have the effect of completely disabling the seeding of both the rand() and mt_rand() pseudorandom number generators in PHP. Since some time around PHP 5 both PRNGs have automatically seeded themselves, so it's not a fatal thing to have happen; what it means, though, is if I were to — for the sake of argument — generate a document with random contents, I could no longer just record the seed if I wanted to recreate the document.

I can see that misusing the PRNG seeds could lead to security issues, for example if your site depends on the PRNGs to generate session info. However, since for the past few years manual seeding has been optional, wouldn't one assume that anyone in such a situation would either: a) use the built-in seeding, or b) make sure they pick a really good seed? Disabling seeding altogether doesn't patch up a vulnerability, it simply removes half the power of PRNGs.

To get around the whole issue, I implemented a dodgy PRNG (which I found on this site: http://computer.howstuffworks.com/question697.htm) in PHP. It was apparently invented by K&R, so must therefore be awesome. Because PHP isn't C, my implementation is a pale imitation of the gloriously simple two-liner on the website, but it seems to work, and my documents can be recreated from just their seeds. I wouldn't want to use it for anything important, though.

If you're interested, you can find my PHP implementation here.

... Matty /<

thumbnail image

Matthew Kerwin

Published
Modified
License
CC BY-SA 4.0
Tags
software
What do you do when you are no longer able to manually seed your pseudo-random number generators? Why, implement your own, of course!
Comments powered by Disqus