0

I've written a code that should generate pseudo-random strings. I tried to improve the randomness by gathering entropy from user's mouse movements.

Here is my code :

// As described in the PHP documentation
function make_seed() {
    list($usec, $sec) = explode(' ', microtime());
    return (float) $sec + ((float) $usec * 100000);
}

function rand_string($entropy, $length, $chars) {
    mt_srand($entropy . make_seed()); // Here is the important line
    $return = '';
    $charlen = strlen($chars);
    for ($i=0;$i<$length;$i++) {
        $rand = mt_rand(0, $charlen) - 1;
        $return .= substr($chars, $rand, 1);
    }
    return $return;
}

$entropy = '18421828841384386426948169412548'; // Mouse movements, changes everytime
echo rand_string($entropy, 20, 'abcdefghijklmnopqrstuvwxz');

I ran the function a couple of times. Some values show up very frequently, so this is a very weak function. I can't understand why. Is there a limit on mt_srand's parameter ? Does it have to be a number ?

Edit : mt_srand() seed must be an INT.

Improve this question
6
  • mt_rand is seeded randomly by default anyway, so one shouldn't need to seed it manually unless you have a specific need to override the default seeding. Also, are you resetting the seed repeatedly in the same program run? If so, that's also not necessary, and could reduce your randomness. Commented Feb 28, 2013 at 15:12
  • 1
    improve the randomness Nicely spoken =p Commented Feb 28, 2013 at 15:14
  • @SDC I have never been confident with random functions so I wanted to add a unique per-user parameter. I hope it is safe to rely on PHP without needing entropy. I'll try as you said, thank you. Commented Feb 28, 2013 at 15:15
  • @Bondye I'm not sure I understand your comment. Are you being sarcastic because it's not an improvement ? ^^ Commented Feb 28, 2013 at 15:17
  • @mimipc No, not sarcastic. You just made me smile :D If something is pseudo-random. How can it be improved? Right, using not pseudo-random. For example, I use random.org api for my passwords. Commented Feb 28, 2013 at 15:24

2 Answers 2

Reset to default
1

mt_srand() takes an unsigned 32 bit integer to initialize the mersenne twister.
http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/rand.c?revision=321634&view=markup:

194     /* {{{ php_mt_srand
195     */
196     PHPAPI void php_mt_srand(php_uint32 seed TSRMLS_DC)
197     {
198     /* Seed the generator with a simple uint32 */
199     php_mt_initialize(seed, BG(state));
200     php_mt_reload(TSRMLS_C);
201     
202     /* Seed only once */
203     BG(mt_rand_is_seeded) = 1;
204     }
205     /* }}} */

I'd suggest searching for means of the underlying system to gather entropy/random bits.
That would be rngd + /dev/random on a *nix machine and CryptGenRandom or (simpler to reach but slower) CAPICOM Utilities.GetRandom() under windows.

Depending on your needs mcrypt_create_iv() can also be a good choice (maybe in combination with something that creates a "readable" string from the iv).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I wrote my own random string generator without using php's rand() function. 

function rs($length,$chars)
{
    $hex = sha1(microtime()); //contains hexadecimal string
    $return = '';
    $seedLen = strlen($chars); //length of the source characters string
    $posLen  = strlen($hex); //length of the hex string
    for($i=0;$i<$length;$i++){
        $idx_hex = $i % ($posLen-1); //make sure the address is in the hex string (if $i is too big)
        $pos = hexdec($hex[$idx_hex].$hex[$idx_hex+1]);
        $return .= $chars[$pos % $seedLen];
    }
    return $return;
}

The way it works is: it generates sha1 hash of current time (a string that looks like 06009da3e0d26f8569b65cb50a774bb6b431a777) then it takes 2 values at a time from the hash and uses that as a hexadecimal "address" of a character in the $chars string. i.e. in this example if the $chars string is "abcdefghijklmnopqrstuvwxyz" then the first character in the "random" string will be "g" - the letter with index 06 in the chars string. Limitations: (1) only first 256 characters will be used from the $chars string (if it's longer than 256 characters) (2) due to modulo operators, this function is slower than the mt_rand().

edit: mt_rand() uses modulo operators as well, so the speed might be on the same order as this function. i didn't run any comparisons.

Improve this answer

2 Comments

Thanks for your comment, but I don't see at all why it would be better than the default function.
this is not in anyway more random than using only microtime therefore its not random at all.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.