* Tony Reed ([EMAIL PROTECTED]) [010921 10:26]:
> :On UNIX we could seed rand() with /dev/urandom, else we could use time of
> :day. (Any other suggestions would be welcome.)
>
> <http://www.fourmilab.ch/hotbits/>
>
> You can pick up as many random bytes as you want; usually use a 16-bit
> INT as a seed.
Public sources of random bits should never be used as a basis for
random numbers in a language or library since there is no way to know
what the library/language user is doing with those bits.
If the application is one where knowledge of the random stream is a
security threat (which includes many applications such as
authentication, session key generation, unique hash generation,
etc. -- and probably anything remotely underlying "e-commerce"
transactions) an attacker need only understand the algorithm and
access the same source of bits to duplicate the random number stream
with minimal effort. One must assume that an open source algorithm is
understood by an attacker.
The suggestion given is a BAD idea and would put PHP in the BUGTRAQ
Hall of Fame for the next decade.
Rick
--
Mostly useless pseudo-random number: 662
Rick Bradley - http:[EMAIL PROTECTED] (80 F)
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
