Thomas, > This: > > http://barebonescms.com/documentation/csprng/ > > Takes a different approach. Generate one or more stored root seeds and then > use those seeds to generate as much data as is needed without risking loss > of entropy. It also accepts extra entropy sources as input - even weak > sources such as an incrementing integer or serialized user-submitted data - > to further enhance the output.
Actually, I would not call that CS. Where's the white paper for the algorithm? Where's the RFC? Just because you take data from a lot of sources does not make it CS... And just putting the *kitchen sink* into a single sha512 hash does not either. The vast majority of the data that's being called entropy is purely static on the system (page to page won't change). Especially for something that's going into core, I'd suggest sticking to approved, vetted algorithms. If it doesn't have an RFC or a reviewed white-paper, I would avoid it. Additionally, it's pushing all of the "entropy sources" into a single hash bucket. I'd much rather see it push each one through a hmac round with the existing data. That way, the relationship between a specific source and the overall result is complex. It's not just complex in relation to other data, but also into the algorithm itself... > Adding more random sources of information to PHP is a good thing. If > something like what is being discussed is developed, it will merely become > one more source for root seed generation. The more the merrier. Good > sources of entropy are hard to come by. Definitely agree... > One thing I would like to recommend is add to the documentation that certain > functions are inappropriate for specific use cases and recommend alternative > solutions. A lot of people out there think rand() and mt_rand() are > suitable for security. Maybe have a specific page in the PHP documentation > dedicated to covering random string and number generation and link to that > page from various function pages. Sounds good to me... Anthony -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
