Gathering entropy in web apps to create (more) secure random numbers

Posted by H M on Stack Overflow See other posts from Stack Overflow or by H M
Published on 2012-03-27T04:23:49Z Indexed on 2012/04/10 17:28 UTC
Read the original article Hit count: 240

after several days of research and discussion i came up with this method to gather entropy from visitors (u can see the history of my research here)

when a user visits i run this code:

$entropy=sha1(microtime().$pepper.$_SERVER['REMOTE_ADDR'].$_SERVER['REMOTE_PORT'].
$_SERVER['HTTP_USER_AGENT'].serialize($_POST).serialize($_GET).serialize($_COOKIE)); 

note: pepper is a per site/setup random string set by hand.

then i execute the following (My)SQL query:

$query="update `crypto` set `value`=sha1(concat(`value`, '$entropy')) where name='entropy'";

that means we combine the entropy of the visitor's request with the others' gathered already.

that's all.

then when we want to generate random numbers we combine the gathered entropy with the output:

$query="select `value` from `crypto` where `name`='entropy'";
//...
extract(unpack('Nrandom', pack('H*', sha1(mt_rand(0, 0x7FFFFFFF).$entropy.microtime())))); 

note: the last line is a part of a modified version of the crypt_rand function of the phpseclib.

please tell me your opinion about the scheme and other ideas/info regarding entropy gathering/random number generation.

ps: i know about randomness sources like /dev/urandom. this system is just an auxiliary system or (when we don't have (access to) these sources) a fallback scheme.

© Stack Overflow or respective owner

Related posts about php

Related posts about web-applications