This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Time and Randomness Management Library

From OWASP
Jump to: navigation, search

Introduction

  • Time: This library is a wrapper library for PHPs own "time()" function. With the use of this library, our aim was to isolate our system with the "system clock" which is used by the PHP's "time()" function. A separate wrapper for time lets us move time forward (future) or backwards (past) without changing the actual system time. This central library can be reset-ed to a different time and that time would be reflected in all of the application, without having to change any other component in the system or application.
  • Random: This library is the central library to generate random numbers and strings for the whole application. Using this library we can generate cryptographically random strings of any length. This function also produces random integers.


Need for Time and Randomness Library

Time: With time, developers often feel the need to change the system time - maybe for testing purpose or for different time-zones. Whatever is the case, developers find a hard time using normal PHP's "time()" function. To change time to some other time, they have to change system time, which is not only insecure, but will also affect many functions inside the host operating systems which heavily depend on time, such as Cron jobs and time-triggered events. This also is not recommended on main servers as this can corrupt other authentication servers such as "Kerberos". Also it may give an attacker a window to launch some attacks to time-dependent functions. Thus, for all the reasons stated above, we strongly felt the need to generate a wrapper for time, so that change of time within an application can be isolated and controlled. With this we mean that change in time in one application must not affect any other application or system outside the scope of the application. To keep consistency between our application and PHP, we created our "time()" function with the same name as PHP's "time()" function. Thus within our library, calling "time()" function automatically calls PHPSEC's time() function rather than PHP's time() function.

Random: Similarly the need of randomness is crucial in an application. With random strings being so important in a secure application and because not having a separate function in PHP's library for generating a cryptographically secure random string of desired length, we decided to create a separate central library that can provide random strings of desired length. With this library the developers can create secure strings of desired length and can also generate a random integer within a desired range. To keep consistency between our application and PHP, we created our "rand()" function with the same name as PHP's "rand()" function. Thus within our library, calling "rand()" function automatically calls PHPSEC's rand() function rather than PHP's rand() function.


PHPSEC Time and Randomness Library Implementation

Time and Randomness libraries are core libraries. Unlike other libraries, core libraries are used by mostly all of the other libraries for various functions. With time and randomness being core, we can use their time() and rand() function wherever they are needed in the application. These libraries do not depend on any other component of the application and are truly stand-alone libraries. Their implementation details are as follows:

Time: Time library contains one function inside "phpsec" namespace - "time()". This library takes two arguments - the first argument is "mode" and the next argument is "desired time". By default "mode" is "CURR" and "desired time" is "0". Types of mode that are possible in our time() function are:

  • CURR: Used to request current time as specified. i.e. if the developer has set time to March 7, Sun, 1971, then this mode will return the current time that has passed since that time was kept.
  • SET: Used to set time to a desired time. The second argument here takes the desired time in unix timestamp format.
  • RESET: Used to reset time to the original system time.
  • MOV: Used to move time backward. The second argument here takes the time difference that is to be moved. e.g. 3600 will move the clock backward 3600 seconds.
  • SYS: Used to request system time. This mode will return the correct system time irrespective of the fact that the clock is moved forward or backward. Note the this does not changes the user-defined time. This just returns the correct system time.


Random: Random library contains two functions inside "phpsec" namespace - "rand()" and "randstr()". The former method is used to get random integer between a specified range and the latter function is used to get a random string of specified length. The "rand()" function takes two parameters - "min (Defaults to 0)" and "max (Defaults to null)". The other function "randstr()" takes only one parameter - the length of the string desired (defaults to 32). To generate a random string, we use the openssl function (openssl_random_pseudo_bytes). If that function is somehow not present, we use (posix_getpid()) and (memory_get_usage()) to generate the random string.

Other Helpful Links

Retrieved from "https://wiki.owasp.org/index.php?title=Time_and_Randomness_Management_Library&oldid=156023"