 marked as minor
Random number key length is not to RFC 5054
The server method protected function createRandomBigIntegerInRange()
just calls protected function getSecureRandom($bits = 64)
passing no arguments. That is actually a typo as it is 64 bytes which gives a 512 bit random number. RFC 5054 says that the minimum bits should be 256 and that the number should be in the range 1 to N. If N is 1024 then we are using twice the minimum bits bits but half the recommended bits of the RFC.
It is really cheap to generate a random number of bit length equal to the bit length of N (typically >=1024 bits). Given that PHP installs have a history of not quite so good random numbers using the full bit length is a good idea. Then to put it into the range recommended by RFC 5054 which is [1,N)
we can simply mod(N)
the random and loop if it is zero.
Comments (5)

reporter 
reporter  edited description
clarifications.

reporter  edited description

reporter  changed status to resolved
Upgraded the random number generator logic into a common superclass which uses a min of 256 bits but which will otherwise use the bit length of N to generate
a
orb
rounded up to the next byte.Some diagnostic test output is presented here.

reporter  edited description
 Log in to comment