×
  • Partagez
  • E-mail
  • Intégrer
  • J'aime
  • Télécharger
  • Contenu privé
 

Reutov, yunusov, nagibin random numbers take ii

by on Nov 27, 2012

  • 13,339 vues

 

Statistiques

Vues

Total des vues
13,339
Vues sur SlideShare
12,459
Vues externes
880

Actions

J'aime
9
Téléchargements
59
Commentaires
10

18 Ajouts 880

http://www.redditmedia.com 582
https://twitter.com 144
http://it-republik.de 87
http://iblunk.com 17
http://entwickler.com 14
http://phpmagazin.de 7
http://tweetedtimes.com 5
http://www.techgig.com 5
http://www.iblunk.com 3
http://twitter.com 3
https://twimg0-a.akamaihd.net 3
https://si0.twimg.com 2
http://entwickler.de 2
http://jax.de 2
http://www.techgig.timesjobs.com 1
http://ams.activemailservice.com 1
http://www.twylah.com 1
http://rev313.info 1
Plus...

Accessibilité

Détails de l'import

Importé via SlideShare au format Adobe PDF

Droits d'utilisation

© Tous droits réservés

Report content

Signalé comme inapproprié Signaler comme inapproprié
Signaler comme inapproprié

Select your reason for flagging this presentation as inappropriate.

Annuler

110 sur 10 précédent suivant Publier un commentaire

  • pierrej Pierre Joye btw, drop me a mail at pierre@php.net, something I work on may be interesting for you and who knows, maybe you can give a hand :) Il y a 1 an
    Are you sure you want to
    Votre message apparaîtra ici
    Traitement...
  • pierrej Pierre Joye Managers? security@ is a group of core devs, distributions security people and some security companies. Dropping a mail there or to internals to propose your solution will work just fine.

    The RFC process will even allow you to get it in the next release, if approved :)
    Il y a 1 an
    Are you sure you want to
    Votre message apparaîtra ici
    Traitement...
  • arseniyreutov Arseniy Reutov, специалист at Positive Technologies @pierrej We tried, but didn't manage to get the manager that contacted us understand the issue. Going to try again! Il y a 1 an
    Are you sure you want to
    Votre message apparaîtra ici
    Traitement...
  • pierrej Pierre Joye btw, you are more than welcome to submit suggestions and patch to internals or security@php.net :) Il y a 1 an
    Are you sure you want to
    Votre message apparaîtra ici
    Traitement...
  • pierrej Pierre Joye @arseniy

    Afair it was simply due to the lack of the entropy feature back then. Also one should really simply pass it instead
    Il y a 1 an
    Are you sure you want to
    Votre message apparaîtra ici
    Traitement...
  • arseniyreutov Arseniy Reutov, специалист at Positive Technologies @pierrej Glad to see this. But our major concern is that GENERATE_SEED macro uses php_combined_lcg() while not utilizing external crypto providers. Why not implement this? Il y a 1 an
    Are you sure you want to
    Votre message apparaîtra ici
    Traitement...
  • pierrej Pierre Joye @arseniy

    You can set the hash to any other stronger hash. That's why we created it. I would like to set the default to something strong but there were some oppositions back then.

    The entropy source is also now definable, and there is also something at compile time telling that no reliable entropy source has been found.

    About the doc, yes, just pinged the doc team to add strong notices there :)
    Il y a 1 an
    Are you sure you want to
    Votre message apparaîtra ici
    Traitement...
  • arseniyreutov Arseniy Reutov, специалист at Positive Technologies Hi, Pierre!

    ini setting session.hash_function - sha1 can be easily bruteforced as well, not so fast as md5 but still

    LCG relying on urandom or similar devices - I am confused by this statement. I suppose you meant the use of urandom in PHPSESSID generation in PHP 5.4. What we tried to tell is that no external crypto provides are used while seeding PRNGs, namely LCG and MT. It is a big difference.

    md5 supposed to be secure? serioulsy? - sha1 cannot be considered secure as well

    mt_rand and rand are well known as totally unsafe random sources. - put a security notice in the documentation then, like other sane languages.
    Il y a 1 an
    Are you sure you want to
    Votre message apparaîtra ici
    Traitement...
  • pierrej Pierre Joye Some missing info, making this deck almost totally outdated and only about spreading outdated informations about php being unsecure:

    - ini setting session.hash_function

    - LCG relying on urandom or similar devices

    - md5 supposed to be secure? serioulsy? :) (user fault)

    - mt_rand and rand are well known as totally unsafe random sources. It should be clearly documented as such tho'

    - openssl's pseudo random bytes functions (or mcrypt equivalent) should be used too instead

    However one positive effect of this deck is to tell users to finally implement good things :)
    Il y a 1 an
    Are you sure you want to
    Votre message apparaîtra ici
    Traitement...
  • hearttrapwall Dake Trap Wall at AKI good Il y a 1 an
    Are you sure you want to
    Votre message apparaîtra ici
    Traitement...
Poster un commentaire
Modifier votre commentaire

Reutov, yunusov, nagibin   random numbers take ii Reutov, yunusov, nagibin random numbers take ii Presentation Transcript