CSPRNG under windows.

CSPRNG under windows.

am 20.07.2011 05:49:23 von cythrawll

Hello PHP,

I have plans on creating security framework for PHP websites, I would
love to support windows but I am having trouble getting access to any
sort of CSPRNG in windows, this is a bit of a problem....

mcrypt supposedly will help with this, but I am having trouble finding
easily accessible binaries that I could even dream of using it as a
reasonable requirement for a framework.

openssl_random_pseudo_bytes I hear has lots of entropy issues on
windows... so it's not appropriate to use that either...

I tried accessing the .NET csprng through DOTNET in PHP....

$rand = new DOTNET('mscorlib',
'System.Security.Cryptography.RNGCryptoServiceProvider');

$rand->GetBytes('somethinggoeshere');

docs are here:
http://msdn.microsoft.com/en-us/library/system.security.cryp tography.rngcryptoserviceprovider.aspx

for some reason, no matter what I try to pass to GetBytes, won't work
(throws wrong type exceptions), tried arrays, strings, various VARIANT
objects... nothing seems to make it happy.

So I am wondering, is there no easy way to get to a suitable CSPRNG in
windows? If there is none am I the only one who sees a big problem with
that?

Love,

Chad Minick

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: CSPRNG under windows.

am 20.07.2011 08:22:34 von Pierre Joye

hi,

I did not try to access it using COM, but if the scprng you want is
the default provider, you can simply call openssl_random_pseudo_bytes
which uses the same API that what you are trying to call (php
5.3.7RC+).

Cheers,

On Wed, Jul 20, 2011 at 5:49 AM, cythrawll wrote:
> Hello PHP,
>
> I have plans on creating security framework for PHP websites, I would love
> to support windows but I am having trouble getting access to any sort of
> CSPRNG in windows, this is a bit of a problem....
>
> mcrypt supposedly will help with this, but I am having trouble finding
> easily accessible binaries that I could even dream of using it as a
> reasonable requirement for a framework.
>
> openssl_random_pseudo_bytes I hear has lots of entropy issues on windows...
> so it's not appropriate to use that either...
>
> I tried accessing the .NET csprng through DOTNET in PHP....
>
> $rand = new DOTNET('mscorlib',
> 'System.Security.Cryptography.RNGCryptoServiceProvider');
>
> $rand->GetBytes('somethinggoeshere');
>
> docs are here:
> http://msdn.microsoft.com/en-us/library/system.security.cryp tography.rngcryptoserviceprovider.aspx
>
> for some reason, no matter what I try to pass to GetBytes, won't work
> (throws wrong type exceptions), tried arrays, strings, various VARIANT
> objects... nothing seems to make it happy.
>
> So I am wondering, is there no easy way to get to a suitable CSPRNG in
> windows? If there is none am I the only one who sees a big problem with
> that?
>
> Love,
>
> Chad Minick
>
> --
> PHP Windows Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>



--
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: CSPRNG under windows.

am 20.07.2011 11:37:32 von Richard Quadling

On 20 July 2011 04:49, cythrawll wrote:
> Hello PHP,
>
> I have plans on creating security framework for PHP websites, I would love
> to support windows but I am having trouble getting access to any sort of
> CSPRNG in windows, this is a bit of a problem....
>
> mcrypt supposedly will help with this, but I am having trouble finding
> easily accessible binaries that I could even dream of using it as a
> reasonable requirement for a framework.
>
> openssl_random_pseudo_bytes I hear has lots of entropy issues on windows...
> so it's not appropriate to use that either...
>
> I tried accessing the .NET csprng through DOTNET in PHP....
>
> $rand = new DOTNET('mscorlib',
> 'System.Security.Cryptography.RNGCryptoServiceProvider');
>
> $rand->GetBytes('somethinggoeshere');
>
> docs are here:
> http://msdn.microsoft.com/en-us/library/system.security.cryp tography.rngcryptoserviceprovider.aspx
>
> for some reason, no matter what I try to pass to GetBytes, won't work
> (throws wrong type exceptions), tried arrays, strings, various VARIANT
> objects... nothing seems to make it happy.
>
> So I am wondering, is there no easy way to get to a suitable CSPRNG in
> windows? If there is none am I the only one who sees a big problem with
> that?
>
> Love,
>
> Chad Minick

You need to pass an array of System.Byte (VT_UI1). System.Byte is a
structure (http://msdn.microsoft.com/en-us/library/system.byte.aspx).

From what I've read online, a PHP array() will be correctly converted
to an .NET array. So, ...

$o_RNG = new DOTNET('mscorlib',
'System.Security.Cryptography.RNGCryptoServiceProvider');
$a_Bytes = array();
foreach(range(1, 10) as $i_Element) {
// VT_UI1 = a byte, but may not be a System.Byte
// which is a structure and not an object and I don't know
// if DOTNET/COM/VARIANT support these .NET structures.
$a_Bytes[] = new VARIANT(VT_EMPTY, VT_UI1);
}
var_dump($o_RNG->GetBytes($a_Bytes));
var_dump($a_Bytes);
?>

should work, but doesn't.

Fatal error: Uncaught exception 'com_exception' with message
'Parameter 0: Type mismatch.
' in Z:\rand.php:10
Stack trace:
#0 Z:\rand.php(10): dotnet->GetBytes(Array)
#1 {main}
thrown in Z:\rand.php on line 10


In reading http://msdn.microsoft.com/en-us/library/system.security.cryp tography.rngcryptoserviceprovider.aspx,
I see there is a GetType() method. So, thought I'd give that a go by
using ...

echo $o_RNG->GetType();

This results in an error also ...

Warning: Unknown: variant->zval: conversion from 0xd ret=-1 in
Z:\rand.php on line 10

So I'm pretty much guessing that the DOTNET route isn't going to work
any time soon.
--
Richard Quadling
Twitter : EE : Zend : PHPDoc
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea

--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php