如何创建和使用随机数

如何创建和使用随机数

本文介绍了如何创建和使用随机数的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我运行一个网站,并有一个评分系统,让你点的时候,你玩游戏的数量。

I am running a website, and there is a scoring system that gives you points for the number of times you play a game.

它使用散列来证明HTTP请求的完整性进行打分,这样用户不能改变什么,但我担心可能会发生,有人想通了,他们并不需要去改变它,他们只需要得到一个高分,和复制的HTTP请求,标题和所有。

It uses hashing to prove the integrity of http request for scoring so users cannot change anything, however as I feared might happen, someone figured out that they didn't need to change it, they just needed to get a high score, and duplicate the http request, headers and all.

previously我被禁止防止这种攻击,因为它被认为是不可能的。但是,现在,它已经发生了,我可以。 HTTP请求源自一个Flash游戏,然后是由PHP验证和php其输入到数据库中。

Previously I'd been prohibited from protecting against this attack because it was considered unlikely. However, now that it has happened, I can. The http request originates from a flash game, and then is validated by php and php enters it into the database.

我是pretty的随机数肯定会解决这个问题,但我不完全知道如何实现它们。什么是建立一个随机数系统的常见的,安全的方式?

I'm pretty sure nonces will solve the issue, but I'm not exactly sure how to implement them. What is a common, and secure way of setting up a nonce system?

推荐答案

这其实很容易做到的。还有一些库都来为你做它:

It's actually quite easy to do... There are some libraries out there to do it for you:

  1. PHP杜撰库
  2. OpenID的随机数库
  1. PHP Nonce Library
  2. OpenID Nonce Library

或者,如果你想要写你自己的,这是pretty的简单。使用维基百科页面为起跳点,在伪code:

Or if you want to write your own, it's pretty simple. Using the WikiPedia page as a jumping off point, In pseudo-code:

在服务器端,您需要两个客户端调用的函数

On the server side, you need two client callable functions

getNonce() {
    $id = Identify Request //(either by username, session, or something)
    $nonce = hash('sha512', makeRandomString());
    storeNonce($id, $nonce);
    return $nonce to client;
}

verifyNonce($data, $cnonce, $hash) {
    $id = Identify Request
    $nonce = getNonce($id);  // Fetch the nonce from the last request
    removeNonce($id, $nonce); //Remove the nonce from being used again!
    $testHash = hash('sha512',$nonce . $cnonce . $data);
    return $testHash == $hash;
}

和在客户端:

sendData($data) {
    $nonce = getNonceFromServer();
    $cnonce = hash('sha512', makeRandomString());
    $hash = hash('sha512', $nonce . $cnonce . $data);
    $args = array('data' => $data, 'cnonce' => $cnonce, 'hash' => $hash);
    sendDataToClient($args);
}

功能 makeSecureHash 真的只是需要返回一个随机数字或字符串。的随机性越好,安全越好...还要注意的是,因为它的供给右入散列函数,实施细节不从请求以请求无关紧要。客户端的版本和服务器的版本不需要匹配。事实上,需要匹配100%的唯一位在使用的哈希函数的哈希(SHA512,$现时$ cnonce $的数据); ...下面是一个相当安全的 makeRandomString 函数的例子...

The function makeSecureHash really just needs to return a random number or string. The better the randomness, the better the security... Also note that since it's fed right into a hash function, the implementation details don't matter from request to request. The client's version and the server's version don't need to match. In fact, the only bit that needs to match 100% is the hash function used in hash('sha512', $nonce . $cnonce . $data);... Here's an example of a reasonably secure makeRandomString function...

function makeRandomString($bits = 256) {
    $bytes = ceil($bits / 8);
    $return = '';
    for ($i = 0; $i < $bytes; $i++) {
        $return .= chr(mt_rand(0, 255));
    }
    return $return;
}

这篇关于如何创建和使用随机数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-23 16:25