Reputation: 3096
is truncated mt_rand() safer?
I came across those articles:
- http://phpsecurity.readthedocs.org/en/latest/Insufficient-Entropy-For-Random-Values.html
- http://crypto.di.uoa.gr/CRYPTO.SEC/Randomness_Attacks_files/paper.pdf
which show how to recover a seed of the mt_rand() function. Attached code can brute force seed from the first mt_rand() in a one minute (or faster). The truth is that most of the PHP applications use mt_rand with range arguments. This truncates the result. My question is does it make it more difficult to crack? For a start I can imagine that one can't brute force it with just a one number. He need to have a whole sequence. Does it make the cracking process significantly longer or it doesn't really matter? Is mt_rand(from, to) much more secure than mt_rand()?
Upvotes: 0
Views: 588
Answers (1)
Reputation: 655369
Calling mt_rand($min, $max) is basically equivalent to the following:
$rand_in_range_min_to_max = (int)($min + ($max - $min) * ($rand/mt_getrandmax()));
So instead of having the random number picked from the theoretical range from 0 to 231-1, you have the number picked from $min to $max instead. And if $min is larger than 0 or $max less than 1<<31-1, this alone does already reduce the amount of possible seed values.
Now since the presented attack is a brute-force attack, reducing the number of guesses does also reduce the time to complete the brute-force process.
However, since the resulting value from the brute-force process is no the actual random value but only the value that the random value was mapped onto, an attacker would need to check each possible input value that is mapped onto that brute-forced value. That range can be calculated as follows:
$rand_min = (int)(($rand_in_range_min_to_max - $min) / ($max - $min) * mt_getrandmax());
$rand_max = (int)($rand_min + mt_getrandmax() / ($max - $min + 1));
// range whose values are mapped onto $rand_in_range_min_to_max
$range = range($rand_min, $rand_max);
foreach ($range as $rand) {
assert($rand_in_range_min_to_max === (int)($min + ($max - $min) * ($rand/mt_getrandmax())));
}
As each of the numbers in the range are getting mapped identically, they all are only potential numbers for generating the next random number in sequence. To unmistakably identify the actual number, an attacker would need at most mt_getrandmax() / ($max - $min) subsequently generated random numbers.
So, actually, using mt_rand($min, $max) does increase the effort for an attacker to find the actual seed as he has to brute-force seeds for multiple random values and he would need mt_getrandmax() / ($max - $min) subsequently generated random numbers to uniquely identify the right seed.
Upvotes: 2
Related Questions
- PHP mt_rand() function
- What's the disadvantage of mt_rand?
- About mt_rand of an array
- Making mt_rand() as secure as possible
- What is PHP's mt_rand() minimum value and how to calculate 32 bit interger on 32 bit Linux box
- mt_rand() returns unexpected output
- Why is PHP's mt_rand not cryptographically secure?
- PHP mt_srand function
- Does seeding mt_rand with a true random number make the result of mt_rand truely random as well?
- mt_rand with same numbers PHP, does it matter?