2

I am looking for an implementation of FIPS validated or compliant Random Number Generator for PHP 5.6. From what I have seen, random_bytes and random_int are there but they are only available for PHP 7.0 or above. random_bytes uses windows CryptGenRandom API but that is deprecated as well.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa379942(v=vs.85).aspx

There is a third party implementation for PHP 5.6 here:

https://github.com/paragonie/random_compat

but I could not find any reference which states that it is FIPS compliant. We are working on making our product FIPS compliant and would like to use a cryptographically secure random generator that is won't cause issue in FIPS certification and would work on Windows, Linux and Mac.

Umair Durrani
  • 79
  • 1
  • 3
  • buy an usb random generator, read the data from that. https://en.wikipedia.org/wiki/Comparison_of_hardware_random_number_generators – Tschallacka Dec 04 '17 at 15:02
  • ..and give that out to every client who buys our product ? – Umair Durrani Dec 05 '17 at 05:32
  • If you wish to be secure, why not. they cost only like 40 dollars, and are worth the investment for security. but if that's too costly, you might wish to look into https://security.stackexchange.com/questions/101112/can-i-rely-on-openssl-random-pseudo-bytes-being-very-random-in-php provided it's the very latest php 5.6 version you're using. – Tschallacka Dec 05 '17 at 08:37

0 Answers0