Here's an example to show the distribution of random numbers as an image. Credit to Hayley Watson at the mt_rand page for the original comparison between rand and mt_rand.
rand is red, mt_rand is green and openssl_random_pseudo_bytes is blue.
NOTE: This is only a basic representation of the distribution of the data. Has nothing to do with the strength of the algorithms or their reliability.
<?php
header("Content-type: image/png");
$sizex=800;
$sizey=800;
$img = imagecreatetruecolor(3 * $sizex,$sizey);
$r = imagecolorallocate($img,255, 0, 0);
$g = imagecolorallocate($img,0, 255, 0);
$b = imagecolorallocate($img,0, 0, 255);
imagefilledrectangle($img, 0, 0, 3 * $sizex, $sizey, imagecolorallocate($img, 255, 255, 255));
$p = 0;
for($i=0; $i < 100000; $i++) {
$np = rand(0,$sizex);
imagesetpixel($img, $p, $np, $r);
$p = $np;
}
$p = 0;
for($i=0; $i < 100000; $i++) {
$np = mt_rand(0,$sizex);
imagesetpixel($img, $p + $sizex, $np, $g);
$p = $np;
}
$p = 0;
for($i=0; $i < 100000; $i++) {
$np = floor($sizex*(hexdec(bin2hex(openssl_random_pseudo_bytes(4)))/0xffffffff));
imagesetpixel($img, $p + (2*$sizex), $np, $b);
$p = $np;
}
imagepng($img);
imagedestroy($img);
?>
openssl_random_pseudo_bytes
(PHP 5 >= 5.3.0, PHP 7)
openssl_random_pseudo_bytes — Generate a pseudo-random string of bytes
Description
openssl_random_pseudo_bytes
( int
$length
[, bool &$crypto_strong
] ) : string
Generates a string of pseudo-random bytes, with the number of bytes
determined by the length parameter.
It also indicates if a cryptographically strong algorithm was used to produce the
pseudo-random bytes, and does this via the optional crypto_strong
parameter. It's rare for this to be FALSE, but some systems may be broken or old.
Parameters
-
length -
The length of the desired string of bytes. Must be a positive integer. PHP will try to cast this parameter to a non-null integer to use it.
-
crypto_strong -
If passed into the function, this will hold a boolean value that determines if the algorithm used was "cryptographically strong", e.g., safe for usage with GPG, passwords, etc.
TRUEif it did, otherwiseFALSE
Return Values
Returns the generated string of bytes on success, or FALSE on failure.
Examples
Example #1 openssl_random_pseudo_bytes() example
<?php
for ($i = -1; $i <= 4; $i++) {
$bytes = openssl_random_pseudo_bytes($i, $cstrong);
$hex = bin2hex($bytes);
echo "Lengths: Bytes: $i and Hex: " . strlen($hex) . PHP_EOL;
var_dump($hex);
var_dump($cstrong);
echo PHP_EOL;
}
?>
The above example will output something similar to:
Lengths: Bytes: -1 and Hex: 0 string(0) "" NULL Lengths: Bytes: 0 and Hex: 0 string(0) "" NULL Lengths: Bytes: 1 and Hex: 2 string(2) "42" bool(true) Lengths: Bytes: 2 and Hex: 4 string(4) "dc6e" bool(true) Lengths: Bytes: 3 and Hex: 6 string(6) "288591" bool(true) Lengths: Bytes: 4 and Hex: 8 string(8) "ab86d144" bool(true)
See Also
- random_bytes() - Generates cryptographically secure pseudo-random bytes
- bin2hex() - Convert binary data into hexadecimal representation
- crypt() - One-way string hashing
- mt_rand() - Generate a random value via the Mersenne Twister Random Number Generator
- uniqid() - Generate a unique ID
add a note
User Contributed Notes 10 notes
nahun@telemako ¶
6 years ago
powtac at gmx dot de ¶
3 years ago
[Editor's note: the bug has been fixed as of PHP 5.4.44, 5.5.28 and PHP 5.6.12]
Until PHP 5.6 openssl_random_pseudo_bytes() did NOT use a "cryptographically strong algorithm"!
See bug report https://bugs.php.net/bug.php?id=70014 and the corresponding source code at https://github.com/php/php-src/blob/php-5.6.10/ext/openssl/openssl.c#L5408
christophe dot weis at statec dot etat dot lu ¶
8 years ago
Another replacement for rand() using OpenSSL.
Note that a solution where the result is truncated using the modulo operator ( % ) is not cryptographically secure, as the generated numbers are not equally distributed, i.e. some numbers may occur more often than others.
A better solution than using the modulo operator is to drop the result if it is too large and generate a new one.
<?php
function crypto_rand_secure($min, $max) {
$range = $max - $min;
if ($range == 0) return $min; // not so random...
$log = log($range, 2);
$bytes = (int) ($log / 8) + 1; // length in bytes
$bits = (int) $log + 1; // length in bits
$filter = (int) (1 << $bits) - 1; // set all lower bits to 1
do {
$rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes, $s)));
$rnd = $rnd & $filter; // discard irrelevant bits
} while ($rnd >= $range);
return $min + $rnd;
}
?>
Tyler Larson ¶
10 years ago
If you don't have this function but you do have OpenSSL installed, you can always fake it:
<?php
function openssl_random_pseudo_bytes($length) {
$length_n = (int) $length; // shell injection is no fun
$handle = popen("/usr/bin/openssl rand $length_n", "r");
$data = stream_get_contents($handle);
pclose($handle);
return $data;
}
?>
crrodriguez at opensuse dot org ¶
8 years ago
Remember to request at very least 8 bytes of entropy, ideally 32 or 64, to avoid possible theorical bruteforce attacks.
acatalept at gmail ¶
8 years ago
FYI, openssl_random_pseudo_bytes() can be incredibly slow under Windows, to the point of being unusable. It frequently times out (>30 seconds execution time) on several Windows machines of mine.
Apparently, it's a known problem with OpenSSL (not PHP specifically).
See: http://www.google.com/search?q=openssl_random_pseudo_bytes+slow
umairkhi at hotmail dot com ¶
1 year ago
After the fix of insecure number generation here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8867
This function as well as the text here needs an update. I believe this function is safe to use in FIPS compliant apps as well as it now used RAND_bytes instead of the insecure RAND_pseudo_bytes().
Anonymous ¶
7 years ago
Another way to get random 32bit ints:
function myRand($max){
do{
$result = floor($max*(hexdec(bin2hex(openssl_random_pseudo_bytes(4)))/0xffffffff));
}while($result == $max);
return $result;
}
atesin () gmail ! com ¶
1 year ago
if unavailable use this with core functions... maybe not as secure and optimized (any help?), but practical
<?php
$bytes = '';
while (strlen($bytes) < $lenght)
$bytes .= chr(mt_rand(0, 255));
?>
