It's generally known information that methods such as the array_rand()
method in PHP are not considered cryptographically secure. I'm trying to understand under what situations generated result may be predictable.
If I know the seed, the values in the array, a single generated value and how many times the method has been called before that value was generated, I know I can easily calculate all subsequently returned values. I can do that by writing my own script that uses the same seed and generates the same number of results, thus putting it in the same state.
Assuming I don't know the seed or the number of previously generated values, what are my chances/how low can I get the probability of predicting future values.
To define a more concrete example and make the question less theoretical, lets assume we're using array_rand
to generate case-insensitive alphanumeric tokens with a length of 12. This is done by grabbing 12 values from a character array by calling array_rand 12 times thus making the token [A-Z\d]{12}
. I know I have one of a thousand consecutively generated tokens, but not which position it was generated in.
Can I predict the next token (assume I've not got the last token generated)? I'm assuming this can't be predicted with 100% accuracy, but what are the chances of brute forcing all possibilities for the next token, and how many would there be?
Assuming I can validate if a token is valid, how much does knowing 2 consecutive tokens (24 values) narrow my chances of predicting the 3rd, etc.
I've seen some research on cracking the state of rand
but the articles generally don't deal with constrained/truncated ranges.
P.S. I'm trying to understand the proof/math behind why it's insecure, not looking for suggestions of more secure approaches.