4

In PHP.net mt_rand() and uniqid() are explained as "does not generate cryptographically secure values" and is couraged to use random_int(), random_bytes(), or openssl_random_pseudo_bytes() instead.

What is meant by "cryptographically secure"?

Hasanta
  • 93
  • 3
  • 11
  • Friends [Google](https://www.google.com/search?q=cryptographically+secure&rlz=1C1VFKB_enJP607JP618&oq=cryptographically+secure&aqs=chrome..69i57j69i60&sourceid=chrome&ie=UTF-8) and [Wikipedia](https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator) can help you with this, I guess. – Geshode Dec 19 '17 at 08:30
  • said friends will tell you something about "entropy" ... and just for the fun of it... https://www.random.org/analysis/dilbert.jpg – DarkSquirrel42 Dec 19 '17 at 08:36
  • 2
    @Geshode I guess I asked those friends and Stack Overflow too about this. And guess what? I didn't find a clear explanation and thought it'll be good if I build a question for others too. – Hasanta Dec 19 '17 at 19:13

2 Answers2

9

Computers don't normally do a very good job at calculating a truly random number. This means that the pseudo-random number that a computer calculates might be predictable.

If this random number is then used as a basis for cryptographic key, then the key and so the secured message can be compromised.

A cryptographically secure pseudo random number generator (CSPRNG), is one where the number that is generated is extremely hard for any third party to predict what it might be. This means that cryptographic keys derived from these random numbers are extremely hard to determine making messages secured with such keys safe.

From

https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator

Ideally, the generation of random numbers in CSPRNGs uses entropy obtained from a high-quality source, generally the operating system's randomness API. However, unexpected correlations have been found in several such ostensibly independent processes. From an information-theoretic point of view, the amount of randomness, the entropy that can be generated, is equal to the entropy provided by the system. But sometimes, in practical situations, more random numbers are needed than there is entropy available. Also the processes to extract randomness from a running system are slow in actual practice. In such instances, a CSPRNG can sometimes be used. A CSPRNG can "stretch" the available entropy over more bits.

Spangen
  • 4,420
  • 5
  • 37
  • 42
  • Yes, but the name is misleading. In computers there is no true "randomness" so a better name would be "cryptographically almost secure" or "hard to crack" or similar. –  Aug 05 '19 at 09:01
  • 2
    Yes, there is randomness gathered from entropy like disk access times, user keyboard or mouse interaction etc. – Spangen Aug 05 '19 at 12:51
2

Means that the values can be guessed and predicted, because genereted by known algorithm.

So you should not relay on them if you need value that user can't guess what will be next.

Consider a poker game, what will be if user can guess what is the next card?

You can check details in this SO answer

2oppin
  • 1,941
  • 20
  • 33