CryptoCard KT-1 Token Random Key Generation PHP Code (PHP Code as Text)
<?php //Don't allow any browser to cache these contents, because of the //random numbers. header("Cache-Control: no-cache, must-revalidate"); header("Pragma: no-cache"); header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // //if (!isset($BGSOUND_INCLUDED)) //{ // include("bgsound/bgsound.inc"); // $BGSOUND_INCLUDED=1; //} ?> <html> <head> <title>Generating Random Numbers to Use as CryptoCard KT-1 Token AES-192 Keys from PHP</title> </head> <body background="/bkgnds/bk_garlic.jpg"> <font face="arial" size="3"> <p align="center"> <font size="5"> Generating Random Numbers to Use as <i>CryptoCard</i> KT-1 Token AES-192 Keys from <i>PHP</i> </font> </p> <hr> <p> Assuming a public algorithm, block ciphers are effective if and only if there is no way for an attacker to narrow the key space. The key space could be narrowed by either a weakness in the algorithm that allows an attacker to narrow the space by analyzing ciphertext messages; or it could be narrowed by some knowledge of how keys have been chosen. It is important to choose token keys in a way that can't be reproduced by an attacker; and where an attacker has no way to narrow the range of keys that might have been chosen. </p> <p> <i>PHP</i> provides a built-in <i>rand()</i> function that could be used to create token keys. However, the random numbers from <i>PHP</i>'s <i>rand()</i> function are pseudo-random rather than random. <i>PHP</i> source code, including the <i>rand()</i> function, is public. If the <i>PHP</i> code intended to generate random keys using <i>PHP</i>'s <i>rand()</i> function is also public, an attack making use of the pseudo-random nature of <i>rand()</i> may be possible. </p> <p> The standard <i>Unix</i>/<i>Linux</i> device <i>/dev/rand</i> is more reliable for the generation of security-critical keys than <i>PHP</i>'s built-in <i>rand()</i> function. (<i>/dev/rand</i> makes use of unpredictable events in the computer system to generate random numbers.) </p> <p> The random hexadecimal number below (192 bits) has been obtained via <i>/dev/rand</i> using <i>PHP</i> (refreshing this page will cause the value to change). Note that <i>/dev/rand</i> will block when the randomness available has been depleted until more randomness can be obtained (this can be observed by reloading the page several times). </p> <p align="center"> <?php $handle = fopen ("/dev/random", "r"); if ($handle === FALSE) //fopen() failure { echo "<i>Unable to open /dev/random.</i>\n"; } else { $no_hyphens = ""; echo "<i>With hyphen separators:</i> "; for ($i=0; $i<24; $i++) { $c = fgetc($handle); if ($c === FALSE) //EOF, which should not occur (should block instead). break; $val = ord($c); printf("%02X", $val); $no_hyphens .= sprintf("%02X", $val); if ($i < 23) echo "-"; } fclose($handle); } ?> </p> <?php if (strlen($no_hyphens)) { echo "<p align=\"center\">\n"; echo "<i>Without hyphen separators:</i> " . $no_hyphens . "\n"; echo "</p>\n"; } ?> <p> The source code for this page (illustrating how to use <i>PHP</i> to get data from <i>/dev/rand</i>) is available <a href="php_rand_key_gen_source.php" target="_blank">here</a>. </p> <p> In the application for which KT-1 tokens are being evaluated (tokens initialized on a <i>Windows</i> system), the random output of a web page (served by a <i>Unix</i>/<i>Linux</i> system) can be copied and pasted into the <i>Windows</i> token initialization application. (For example, the 192-bit random number above could be copied and pasted into a <i>Windows</i> token initialization application.) </p> <p> Other obvious methods of generating random keys not involving <i>PHP</i>: <ul> <li>Flipping a coin 192 times.</li> <li>Obtaining random numbers from <a href="http://www.random.org" target="_blank">RANDOM.ORG</a> or a similar site.</li> </ul> </p> <p> Useful reading and background: <ul> <li><i><a href="http://www.random.org/randomness/" target="_blank">Introduction to Randomness and Random Numbers</a></i> by Mads Haar.</li> <li><i><a href="http://en.wikipedia.org/wiki/Pseudo-random" target="_blank">Pseudorandom Number Generator</a></i> entry at <a href="http://www.wikipedia.org" target="_blank">Wikipedia</a>. </ul> </p> <hr> <p align="center" style="margin-top: -3; margin-bottom: -1"><font size="2">This web page is maintained by <a href="mailto:dta@e3ft.com">David T. Ashley</a>. Local time on this server (at the time the page was served) is <? $today = date("g:i:s a \o\\n F j, Y."); echo $today; ?></font></p> <hr noshade size="5"> </font> </body> </html>
This web page is maintained by David T. Ashley. Local time on this server (at the time the page was served) is $today = date("g:i:s a \o\\n F j, Y."); echo $today; ?>