PHP 8.4.1 Released!

    openssl_random_pseudo_bytes

    (PHP 5 >= 5.3.0, PHP 7, PHP 8)

    openssl_random_pseudo_bytesGera uma sequência pseudo-aleatória de bytes

    Descrição

    openssl_random_pseudo_bytes(int $length, bool &$strong_result = null): string

    Gera uma string de bytes pseudo-aleatórios, com o número de bytes determinado pelo parâmetro length.

    Também indica se um algoritmo criptograficamente forte foi usado para produzir os bytes pseudo-aleatórios, e faz isso através do parâmetro opcional strong_result. É raro que isso seja false, mas alguns sistemas podem estar quebrados ou antigos.

    Parâmetros

    length

    O comprimento da sequência de bytes desejada. Deve ser um número inteiro positivo menor ou igual a 2147483647. O PHP tentará converter este parâmetro em um número inteiro não nulo para usá-lo.

    strong_result

    Se passado para a função, conterá um valor bool que determina se o algoritmo usado era "criptograficamente forte", por exemplo, seguro para uso com GPG, senhas, etc. true se sim, caso contrário false.

    Valor Retornado

    Retorna a string de bytes gerada.

    Erros/Exceções

    openssl_random_pseudo_bytes() lança uma Exception em caso de falha.

    Registro de Alterações

    Versão Descrição
    8.0.0 strong_result agora pode ser nulo.
    7.4.0 A função não retorna mais false em caso de falha, mas em vez disso lança uma Exception.

    Exemplos

    Exemplo #1 Exemplo de openssl_random_pseudo_bytes()

    <?php
    for ($i = 1; $i <= 4; $i++) {
    $bytes = openssl_random_pseudo_bytes($i, $cstrong);
    $hex = bin2hex($bytes);

    echo     "Comprimentos: Bytes: $i e Hex: " . strlen($hex) . PHP_EOL;
    var_dump($hex);
    var_dump($cstrong);
    echo     PHP_EOL;
    }
    ?>

    O exemplo acima produzirá algo semelhante a:

    Comprimentos: Bytes: 1 e Hex: 2
string(2) "42"
bool(true)

Comprimentos: Bytes: 2 e Hex: 4
string(4) "dc6e"
bool(true)

Comprimentos: Bytes: 3 e Hex: 6
string(6) "288591"
bool(true)

Comprimentos: Bytes: 4 e Hex: 8
string(8) "ab86d144"
bool(true)

    Veja Também

    • random_bytes() - Obtém bytes aleatórios criptograficamente seguros
    • bin2hex() - Converte um dado binário em representação hexadecimal
    • crypt() - Hash unidirecional de string
    • random_int() - Obtém um número inteiro selecionado uniformemente e criptograficamente seguro

    Melhore Esta Página

    Aprenda Como Melhorar Esta PáginaEnvie uma Solicitação de ModificaçãoReporte um Problema
    adicione uma nota

    Notas Enviadas por Usuários (em inglês) 8 notes

    up
    35
    nahun@telemako
    11 years ago
    Here's an example to show the distribution of random numbers as an image. Credit to Hayley Watson at the mt_rand page for the original comparison between rand and mt_rand.

    rand is red, mt_rand is green and openssl_random_pseudo_bytes is blue.

    NOTE: This is only a basic representation of the distribution of the data. Has nothing to do with the strength of the algorithms or their reliability.

    <?php
    header    ("Content-type: image/png");
    $sizex=800;
    $sizey=800;

    $img = imagecreatetruecolor(3 * $sizex,$sizey);
    $r = imagecolorallocate($img,255, 0, 0);
    $g = imagecolorallocate($img,0, 255, 0);
    $b = imagecolorallocate($img,0, 0, 255);
    imagefilledrectangle($img, 0, 0, 3 * $sizex, $sizey, imagecolorallocate($img, 255, 255, 255));

    $p = 0;
    for(    $i=0; $i < 100000; $i++) {
    $np = rand(0,$sizex);
    imagesetpixel($img, $p, $np, $r);
    $p = $np;
    }

    $p = 0;
    for(    $i=0; $i < 100000; $i++) {
    $np = mt_rand(0,$sizex);
    imagesetpixel($img, $p + $sizex, $np, $g);
    $p = $np;
    }

    $p = 0;
    for(    $i=0; $i < 100000; $i++) {
    $np = floor($sizex*(hexdec(bin2hex(openssl_random_pseudo_bytes(4)))/0xffffffff));
    imagesetpixel($img, $p + (2*$sizex), $np, $b);
    $p = $np;
    }

    imagepng($img);
    imagedestroy($img);
    ?>
    up
    11
    powtac at gmx dot de
    8 years ago
    [Editor's note: the bug has been fixed as of PHP 5.4.44, 5.5.28 and PHP 5.6.12]

    Until PHP 5.6 openssl_random_pseudo_bytes() did NOT use a "cryptographically strong algorithm"!
    See bug report https://bugs.php.net/bug.php?id=70014 and the corresponding source code at https://github.com/php/php-src/blob/php-5.6.10/ext/openssl/openssl.c#L5408
    up
    11
    christophe dot weis at statec dot etat dot lu
    13 years ago
    Another replacement for rand() using OpenSSL.

    Note that a solution where the result is truncated using the modulo operator ( % ) is not cryptographically secure, as the generated numbers are not equally distributed, i.e. some numbers may occur more often than others.

    A better solution than using the modulo operator is to drop the result if it is too large and generate a new one.

    <?php
    function crypto_rand_secure($min, $max) {
    $range = $max - $min;
    if (    $range == 0) return $min; // not so random...
    $log = log($range, 2);
    $bytes = (int) ($log / 8) + 1; // length in bytes
    $bits = (int) $log + 1; // length in bits
    $filter = (int) (1 << $bits) - 1; // set all lower bits to 1
    do {
    $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes, $s)));
    $rnd = $rnd & $filter; // discard irrelevant bits
    } while ($rnd >= $range);
    return     $min + $rnd;
    }
    ?>
    up
    1
    mailjeffclayton [at] gmail
    5 years ago
    Getting an integer value from a given range with an even distribution:

    This function I created to solve the problem of modulo results causing overlap of ranged results (which gave an uneven distribution).

    What I mean for those not as familiar with the problem:

    Using bytes for base 256 (base 16) and attempting to find a value in a range of values that may be for example 10-20 (a spread of 11) will not divide evenly, so values (using mod) will overlap and give more priority to some numbers than others.

    Instead of calculating based on byte values, I used the byte values as keys to sort. This is very fast, and does not require large multiplications of data space that easily go over the value of Max Int.

    Additionally: To make the user-supplied arguments not care about order I am using a handy swap function I found in the wild in conjunction with my function below.

    // swap function

    function swap(&$a,&$b) { list($a,$b)=array($b,$a); } // swap 2 variables-- no temp variable needed!

    // function to get a random value within a given range of integers

    function get_secure_random_ranged_value($max=99, $min=0) // handles 1 or 2 arguments, order does not matter
    {
    $sortarray = array();
    $lo = (int)$min;
    $hi = (int)$max;
    if ($lo > $hi) swap($lo,$hi);
    $data_range = abs($hi - $lo) + 1; // +1 includes both the lowest 'zero' value and highest value of range
    $bytes_per_key = 4; // Max: ffff hex = 4,294,967,296 dec (over 4 billion) -- large span of random values covers massive datasets
    $num_bytes = $data_range * $bytes_per_key;
    $byte_string = (bin2hex(openssl_random_pseudo_bytes($num_bytes))); // only one call needed to get string of bytes
    $byte_blocksize = $bytes_per_key << 1; // shift multiply by 2 since a byte is 2 characters wide

    while ($key = substr($byte_string,0,$byte_blocksize)) { // get next byte block from string
    $byte_string = substr($byte_string,$byte_blocksize); // remove selected byte block from string
    $sortarray[]=$key; // populate the array with keys temporarily as array values
    }

    $sortarray = array_flip($sortarray); // swap to use the byte values as keys
    ksort($sortarray); // randomize by keys
    return array_shift($sortarray) + $lo; // grab top value from array and add it to the lowest value in the range
    }

    //
    // example getting values from 0 to 21:
    //

    for ($i=1;$i<=10;$i++) { $rnd = get_secure_random_ranged_value(21); echo "-> result: ".($rnd)." <br />\n"; }

    //
    // example getting values from 14 to 21:
    //

    for ($i=1;$i<=10;$i++) { $rnd = get_secure_random_ranged_value(14,21); echo "-> result: ".($rnd)." <br />\n"; }

    //
    // sample results from 14-21
    //

    -> result: 14
    -> result: 18
    -> result: 20
    -> result: 15
    -> result: 20
    -> result: 16
    -> result: 21
    -> result: 15
    -> result: 16
    -> result: 17
    up
    4
    acatalept at gmail
    13 years ago
    FYI, openssl_random_pseudo_bytes() can be incredibly slow under Windows, to the point of being unusable. It frequently times out (>30 seconds execution time) on several Windows machines of mine.

    Apparently, it's a known problem with OpenSSL (not PHP specifically).

    See: http://www.google.com/search?q=openssl_random_pseudo_bytes+slow
    up
    5
    Tyler Larson
    15 years ago
    If you don't have this function but you do have OpenSSL installed, you can always fake it:

    <?php
    function openssl_random_pseudo_bytes($length) {
    $length_n = (int) $length; // shell injection is no fun
    $handle = popen("/usr/bin/openssl rand $length_n", "r");
    $data = stream_get_contents($handle);
    pclose($handle);
    return     $data;
    }
    ?>
    up
    -3
    crrodriguez at opensuse dot org
    13 years ago
    Remember to request at very least 8 bytes of entropy, ideally 32 or 64, to avoid possible theorical bruteforce attacks.
    up
    -4
    umairkhi at hotmail dot com
    6 years ago
    After the fix of insecure number generation here:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8867

    This function as well as the text here needs an update. I believe this function is safe to use in FIPS compliant apps as well as it now used RAND_bytes instead of the insecure RAND_pseudo_bytes().
    adicione uma nota
    To Top