Hi Lauri, On Tue, Jan 17, 2017 at 2:34 AM, Lauri Kenttä <lauri.ken...@gmail.com> wrote:
> On Mon, Jan 16, 2017 at 4:04 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > >> We know this kind of seed is guessable. i.e. Our session id is compromised >> by this kind of code. >> > > Maybe you should fix session id instead of (or in addition to) mt_rand. > It is fixed. I should have written "was compromised". > > On 2017-01-16 09:16, Yasuo Ohgaki wrote: > >> Comments are appreciated. >> > > Simply set BG(state)[0] to 0x80000000U and fill the rest with random. > That's practically like the MT reference implementation init_by_array. > See the attached patch. Feel free to commit. Thanks. I didn't bother about efficiency, but it is more efficient than php_random_int(). This will do half of my idea. Attackers can guess random strings generated by MT rand by checking only 2^32 combinations because there are only 2^32 initial states. MT rand is not CSPRNG, so users must not use MT rand to generate random string, but there are many codes do this. To mitigate risk of such code, randomizing initial state could be done. i.e. Set state somewhere between MT rand's 2^19937−1 cycle. I haven't started research how to do this yet. I appreciate if you have patch for this, too. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
