2

From http://php.net/manual/en/function.mt-rand.php:

Caution This function does not generate cryptographically secure values, and should not be used for cryptographic purposes.

Can someone please explain what this means in the context of a website? Does it mean it should not be used to generate a security token?

On a 32-bit system PHP_INT_SIZE is just over 2 billion. If I generate a number mt_rand(0, PHP_INT_SIZE) and add on a long random string of say 100 chars and use it as a security token, is it saying that it is insecure?

4

2 回答 2

2

If by "security token" you mean a nonce, i.e. an one-use token that should be unique with near certainty then mt_rand is just fine.

"Does not generate cryptographically secure values" in this context means that given enough information on the state of the generator someone can predict what its output will be in the future. Obviously this is a deal-breaker if you are going to use said output to encrypt sensitive information.

于 2013-06-28T10:47:58.463 回答
1

It's because it's not really random. Mersenne Twister is based on a linear recursion, so any pseudo random number sequence generated by a linear recursion is insecure, since from sufficiently long subsequence of the outputs, one can predict the further results.

于 2013-06-28T10:27:47.187 回答