I was looking into using OpenID for an upcoming project I was going to be working on. After reading through some tutorials on Janrain's PHP implementation of OpenID and looking through the source code I uploaded it to my server and tested out the example script included with my Google ID and I was getting some errors about the Auth_OpenID_RAND_SOURCE in CryptUtil.php not being set properly. I found an answer through Google to define it as null instead of the default /dev/urandom. My question is, this obviously isn't safe right? and is /dev/urandom a random number generator in linux? What would be some good alternatives to using /dev/urandom on my home windows machine for messing around with the implementation?
Asked
Active
Viewed 977 times
1 Answers
1
Well, the CryptUtil.php says that the class
* Attempts to use a cryptographically secure (not predictable)
* source of randomness if available. If there is no high-entropy
* randomness source available, it will fail. As a last resort,
* for non-critical systems, define
* Auth_OpenID_RAND_SOURCE as null, and
* the code will fall back on a pseudo-random number generator.
So, if you define this constant to NULL, AND it's unable to find any other source of entropy, this will mean you have no entropy source at all - basically, there will be no encryption. Here is what wikipedia has to say about /dev/urandom:
A counterpart to /dev/random is /dev/urandom ("unlocked"/non-blocking random source[4]) which reuses the internal pool to produce more pseudo-random bits. This means that the call will not block, but the output may contain less entropy than the corresponding read from /dev/random. The intent is to serve as a cryptographically secure pseudorandom number generator. This may be used for less secure applications.
As for entropy sources on Win32, there don't seem to be a lot of good options available to your PHP userland.
TML
- 12,813
- 3
- 38
- 45