CryptoCard KT-1 Token Random Key Generation PHP Code (PHP Code as Text)
<?php
//Don't allow any browser to cache these contents, because of the
//random numbers.
header("Cache-Control: no-cache, must-revalidate");
header("Pragma: no-cache");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
//
//if (!isset($BGSOUND_INCLUDED))
//{
// include("bgsound/bgsound.inc");
// $BGSOUND_INCLUDED=1;
//}
?>
<html>
<head>
<title>Generating Random Numbers to Use as CryptoCard KT-1 Token AES-192 Keys from PHP</title>
</head>
<body background="/bkgnds/bk_garlic.jpg">
<font face="arial" size="3">
<p align="center">
<font size="5">
Generating Random Numbers to Use as <i>CryptoCard</i> KT-1 Token AES-192 Keys from <i>PHP</i>
</font>
</p>
<hr>
<p>
Assuming a public algorithm, block ciphers are effective if and only if
there is no way for an attacker to narrow the key space. The
key space could be narrowed by either a weakness in the algorithm that allows
an attacker to narrow the space by analyzing ciphertext messages; or it could
be narrowed by some knowledge of how keys have been chosen. It is important
to choose token keys in a way that can't be reproduced by an attacker; and where
an attacker has no way to narrow the range of keys that might have been chosen.
</p>
<p>
<i>PHP</i> provides a built-in <i>rand()</i> function that could be used
to create token keys. However, the random numbers from <i>PHP</i>'s
<i>rand()</i> function are pseudo-random rather than random. <i>PHP</i> source code,
including the <i>rand()</i> function, is public.
If the <i>PHP</i> code intended to generate random keys using
<i>PHP</i>'s <i>rand()</i> function is also public, an attack making use
of the pseudo-random nature of <i>rand()</i> may be possible.
</p>
<p>
The standard <i>Unix</i>/<i>Linux</i> device <i>/dev/rand</i> is
more reliable for the generation of security-critical
keys than <i>PHP</i>'s built-in <i>rand()</i> function. (<i>/dev/rand</i>
makes use of unpredictable events in the computer system to generate random
numbers.)
</p>
<p>
The random hexadecimal number below (192 bits) has been obtained via
<i>/dev/rand</i> using <i>PHP</i> (refreshing this page will cause
the value to change). Note that <i>/dev/rand</i> will block
when the randomness available has been depleted until more randomness
can be obtained (this can be observed by reloading the page several times).
</p>
<p align="center">
<?php
$handle = fopen ("/dev/random", "r");
if ($handle === FALSE) //fopen() failure
{
echo "<i>Unable to open /dev/random.</i>\n";
}
else
{
$no_hyphens = "";
echo "<i>With hyphen separators:</i> ";
for ($i=0; $i<24; $i++)
{
$c = fgetc($handle);
if ($c === FALSE) //EOF, which should not occur (should block instead).
break;
$val = ord($c);
printf("%02X", $val);
$no_hyphens .= sprintf("%02X", $val);
if ($i < 23)
echo "-";
}
fclose($handle);
}
?>
</p>
<?php
if (strlen($no_hyphens))
{
echo "<p align=\"center\">\n";
echo "<i>Without hyphen separators:</i> " . $no_hyphens . "\n";
echo "</p>\n";
}
?>
<p>
The source code for this page (illustrating how to use
<i>PHP</i> to get data from <i>/dev/rand</i>) is available
<a href="php_rand_key_gen_source.php" target="_blank">here</a>.
</p>
<p>
In the application for which KT-1 tokens are being evaluated
(tokens initialized on
a <i>Windows</i> system), the random output of a web page (served by a
<i>Unix</i>/<i>Linux</i> system) can be copied and pasted into the
<i>Windows</i> token initialization application. (For example,
the 192-bit random number above could be copied and pasted into a
<i>Windows</i> token initialization application.)
</p>
<p>
Other obvious methods of generating random keys not involving <i>PHP</i>:
<ul>
<li>Flipping a coin 192 times.</li>
<li>Obtaining random numbers from <a href="http://www.random.org" target="_blank">RANDOM.ORG</a> or a
similar site.</li>
</ul>
</p>
<p>
Useful reading and background:
<ul>
<li><i><a href="http://www.random.org/randomness/" target="_blank">Introduction
to Randomness and Random Numbers</a></i> by Mads Haar.</li>
<li><i><a href="http://en.wikipedia.org/wiki/Pseudo-random" target="_blank">Pseudorandom
Number Generator</a></i> entry at <a href="http://www.wikipedia.org" target="_blank">Wikipedia</a>.
</ul>
</p>
<hr>
<p align="center" style="margin-top: -3; margin-bottom: -1"><font size="2">This
web page is maintained by <a href="mailto:dta@e3ft.com">David T. Ashley</a>.
Local
time on this server (at the time the page was served)
is <? $today = date("g:i:s a \o\\n F j, Y."); echo $today; ?></font></p>
<hr noshade size="5">
</font>
</body>
</html>
This web page is maintained by David T. Ashley. Local time on this server (at the time the page was served) is