dpv50040 2013-06-28 10:16
浏览 105
已采纳

为什么PHP的mt_rand在加密方面不安全?

From http://php.net/manual/en/function.mt-rand.php:

Caution This function does not generate cryptographically secure values, and should not be used for cryptographic purposes.

Can someone please explain what this means in the context of a website? Does it mean it should not be used to generate a security token?

On a 32-bit system PHP_INT_SIZE is just over 2 billion. If I generate a number mt_rand(0, PHP_INT_SIZE) and add on a long random string of say 100 chars and use it as a security token, is it saying that it is insecure?

  • 写回答

2条回答 默认 最新

  • douxian1770 2013-06-28 10:47
    关注

    If by "security token" you mean a nonce, i.e. an one-use token that should be unique with near certainty then mt_rand is just fine.

    "Does not generate cryptographically secure values" in this context means that given enough information on the state of the generator someone can predict what its output will be in the future. Obviously this is a deal-breaker if you are going to use said output to encrypt sensitive information.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 拟通过pc下指令到安卓系统,如果追求响应速度,尽可能无延迟,是不是用安卓模拟器会优于实体的安卓手机?如果是,可以快多少毫秒?
  • ¥20 神经网络Sequential name=sequential, built=False
  • ¥16 Qphython 用xlrd读取excel报错
  • ¥15 单片机学习顺序问题!!
  • ¥15 ikuai客户端多拨vpn,重启总是有个别重拨不上
  • ¥20 关于#anlogic#sdram#的问题,如何解决?(关键词-performance)
  • ¥15 相敏解调 matlab
  • ¥15 求lingo代码和思路
  • ¥15 公交车和无人机协同运输
  • ¥15 stm32代码移植没反应