CSPRNG Documentation

This is a PHP library that utilizes available CSPRNGs and a set of convenience functions for generating cryptographically secure random tokens, numbers, and strings under a MIT or LGPL license. It works under a wide variety of web hosts including Windows.

Keep in mind that CSPRNGs are slower than their PRNG counterparts. Don't expect too much speed from this even though some effort has been made to make this a relatively fast implementation.


The following is a short list of features for this product:

And much more. Well, not really. A previous version of this project actually attempted to implement a CSPRNG in pure PHP so the feature list was more extensive. While I am certain that it was doing its job well in my own products, I can't guarantee that other developers were actually reading this documentation and taking the appropriate measures in theirs - and I'm convinced that the forums are evidence of the average skill level of those using my software. So the latest incarnations of this project rely on extensions that, since PHP 5.3, have become more readily available thanks to some work on the PHP core and web hosts caring more about such things since the original release of this project.

There's also a push for a unified entropy source in the core of PHP on the PHP internals list. If that happens, it would simplify this class to pretty much nothing.


CSPRNG is extracted from Barebones CMS and the license is also your pick of MIT or LGPL. The license and restrictions are identical to the Barebones CMS License.

If you find CSPRNG useful, financial donations are sincerely appreciated and go towards future development efforts.


CSPRNG 1.0RC5 is the fifth release candidate of CSPRNG.

Download csprng-1.0rc5.zip

If you find CSPRNG useful, please donate toward future development efforts.


Installing CSPRNG is easy. The installation procedure is as follows:

Installation is easy. Using it is a bit more difficult.


Like Barebones CMS, upgrading CSPRNG is easy - just upload the new files to the server and overwrite existing files.

Generating Tokens

Once a root seed has been created, any number of tokens can be generated using the root seed. Tokens can be used for any purpose. Barebones CMS generates two tokens for every login session. A public token is generated to be sent across the Internet to the user's browser and a private token is generated to be used internally for that session.

Creating a new token is easy:

	require_once "support/random.php";

	$rng = new CSPRNG();
	$token = $rng->GenerateToken();

Every self-managed user session should have two tokens: One public (transmitted across the Internet - for example, via a cookie), one private (not transmitted across the Internet). The public token should be used for locating the user session. The private token should be used for XSRF defense mechanisms.

Random Byte and Random Number Streams

Many people enjoy a good random byte. Random numbers can be delicious too. This class has methods that do both but I don't recommend licking your computer screen.

Generating random bytes is easy:

	require_once "support/random.php";

	$rng = new CSPRNG();
	$bytes = $rng->GetBytes(4096);
	echo bin2hex($bytes) . "\n";

Generating random integers is just as easy:

	require_once "support/random.php";

	$rng = new CSPRNG();
	for ($x = 0; $x < 100; $x++)
		$result = $rng->GetInt(0, 40);

		echo $result . "\n";

The example code above generates integers from 0 to 40 inclusive.

Generating alphanumeric strings (0-9, A-Z, and a-z) is also easy:

	require_once "support/random.php";

	$rng = new CSPRNG();
	$str = $rng->GenerateString();
	echo $str . "\n";

Which might output a string like "WUltaV3FT549bFDdfU0A39npRg1O1x7b".

What's Next?

For details on each function and class, see the Extra Components Documentation.

© CubicleSoft