CryptoCard KT-1 Token Random Key Generation PHP Code (PHP Code as Text)


<?php
//Don't allow any browser to cache these contents, because of the
//random numbers.
header("Cache-Control: no-cache, must-revalidate");
header("Pragma: no-cache");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
//
//if (!isset($BGSOUND_INCLUDED))
//{
//  include("bgsound/bgsound.inc");
//  $BGSOUND_INCLUDED=1;
//}
?>

<html>

<head>
<title>Generating Random Numbers to Use as CryptoCard KT-1 Token AES-192 Keys from PHP</title>
</head>

<body background="/bkgnds/bk_garlic.jpg">

<font face="arial" size="3">

<p align="center">
<font size="5">
Generating Random Numbers to Use as <i>CryptoCard</i> KT-1 Token AES-192 Keys from <i>PHP</i>
</font>
</p>

<hr>

<p>
Assuming a public algorithm, block ciphers are effective if and only if 
there is no way for an attacker to narrow the key space.&nbsp; The
key space could be narrowed by either a weakness in the algorithm that allows
an attacker to narrow the space by analyzing ciphertext messages; or it could
be narrowed by some knowledge of how keys have been chosen.&nbsp; It is important
to choose token keys in a way that can't be reproduced by an attacker; and where
an attacker has no way to narrow the range of keys that might have been chosen.
</p>

<p>
<i>PHP</i> provides a built-in <i>rand()</i> function that could be used
to create token keys.&nbsp; However, the random numbers from <i>PHP</i>'s 
<i>rand()</i> function are pseudo-random rather than random.&nbsp; <i>PHP</i> source code,
including the <i>rand()</i> function, is public.&nbsp; 
If the <i>PHP</i> code intended to generate random keys using
<i>PHP</i>'s <i>rand()</i> function is also public, an attack making use
of the pseudo-random nature of <i>rand()</i> may be possible.
</p>

<p>
The standard <i>Unix</i>/<i>Linux</i> device <i>/dev/rand</i> is
more reliable for the generation of security-critical
keys than <i>PHP</i>'s built-in <i>rand()</i> function.&nbsp; (<i>/dev/rand</i> 
makes use of unpredictable events in the computer system to generate random 
numbers.)
</p>

<p>
The random hexadecimal number below (192 bits) has been obtained via
<i>/dev/rand</i> using <i>PHP</i> (refreshing this page will cause 
the value to change).&nbsp; Note that <i>/dev/rand</i> will block
when the randomness available has been depleted until more randomness
can be obtained (this can be observed by reloading the page several times).
</p>

<p align="center">
<?php
$handle = fopen ("/dev/random", "r");
if ($handle === FALSE) //fopen() failure
   {
   echo "<i>Unable to open /dev/random.</i>\n";
   }
else
   {
   $no_hyphens = "";

   echo "<i>With hyphen separators:</i>&nbsp; ";

   for ($i=0; $i<24; $i++)
      {
      $c = fgetc($handle);

      if ($c === FALSE) //EOF, which should not occur (should block instead).
         break;

      $val = ord($c);

      printf("%02X", $val);
      $no_hyphens .= sprintf("%02X", $val);
      
      if ($i < 23)
         echo "-";
      }

   fclose($handle);
   }

?>
</p>

<?php
if (strlen($no_hyphens))
   {
   echo "<p align=\"center\">\n";
   echo "<i>Without hyphen separators:</i>&nbsp; " . $no_hyphens . "\n";
   echo "</p>\n";
   }
?>

<p>
The source code for this page (illustrating how to use 
<i>PHP</i> to get data from <i>/dev/rand</i>) is available
<a href="php_rand_key_gen_source.php" target="_blank">here</a>.
</p>

<p>
In the application for which KT-1 tokens are being evaluated
(tokens initialized on
a <i>Windows</i> system), the random output of a web page (served by a
<i>Unix</i>/<i>Linux</i> system) can be copied and pasted into the
<i>Windows</i> token initialization application.&nbsp; (For example,
the 192-bit random number above could be copied and pasted into a
<i>Windows</i> token initialization application.)
</p>

<p>
Other obvious methods of generating random keys not involving <i>PHP</i>:
<ul>
<li>Flipping a coin 192 times.</li>
<li>Obtaining random numbers from <a href="http://www.random.org" target="_blank">RANDOM.ORG</a> or a 
    similar site.</li>
</ul>
</p>

<p>
Useful reading and background:
<ul>
<li><i><a href="http://www.random.org/randomness/" target="_blank">Introduction 
       to Randomness and Random Numbers</a></i> by Mads Haar.</li>
<li><i><a href="http://en.wikipedia.org/wiki/Pseudo-random" target="_blank">Pseudorandom
       Number Generator</a></i> entry at <a href="http://www.wikipedia.org" target="_blank">Wikipedia</a>.
</ul>
</p>

<hr>
<p align="center" style="margin-top: -3; margin-bottom: -1"><font size="2">This
web page is maintained by <a href="mailto:dta@e3ft.com">David T. Ashley</a>.&nbsp; 
Local 
time on this server (at the time the page was served)
is <? $today = date("g:i:s a \o\\n F j, Y."); echo $today; ?></font></p>
<hr noshade size="5">

</font>
</body>

</html>


This web page is maintained by David T. Ashley.  Local time on this server (at the time the page was served) is