dpv50040
2013-06-28 10:16
浏览 75
已采纳

为什么PHP的mt_rand在加密方面不安全?

From http://php.net/manual/en/function.mt-rand.php:

Caution This function does not generate cryptographically secure values, and should not be used for cryptographic purposes.

Can someone please explain what this means in the context of a website? Does it mean it should not be used to generate a security token?

On a 32-bit system PHP_INT_SIZE is just over 2 billion. If I generate a number mt_rand(0, PHP_INT_SIZE) and add on a long random string of say 100 chars and use it as a security token, is it saying that it is insecure?

图片转代码服务由CSDN问答提供 功能建议

来自 http://php.net/manual/en/function.mt-rand.php

注意此功能不会生成加密安全值,也不应用于加密目的。

有人可以解释这意味着什么 网站的背景? 这是否意味着它不应该用于生成安全令牌?

在32位系统上 PHP_INT_SIZE 刚刚超过20亿。 如果我生成一个数字 mt_rand(0,PHP_INT_SIZE)并添加一个长100个字符的随机字符串并将其用作安全令牌,它是说它不安全吗? \ n

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

2条回答 默认 最新

  • douxian1770 2013-06-28 10:47
    已采纳

    If by "security token" you mean a nonce, i.e. an one-use token that should be unique with near certainty then mt_rand is just fine.

    "Does not generate cryptographically secure values" in this context means that given enough information on the state of the generator someone can predict what its output will be in the future. Obviously this is a deal-breaker if you are going to use said output to encrypt sensitive information.

    点赞 评论
  • ds2321 2013-06-28 10:27

    It's because it's not really random. Mersenne Twister is based on a linear recursion, so any pseudo random number sequence generated by a linear recursion is insecure, since from sufficiently long subsequence of the outputs, one can predict the further results.

    点赞 评论

相关推荐 更多相似问题