TYPO3.Flow

That is a shortcoming of /Packages/Framework/TYPO3.FLOW3/Resources/PHP/iSecurity/Security_Randomizer.php, it also mentions in a comment that it probably won't work on Win 64-bit.

Maybe we should add a fallback to generate "not so strongly randomized data" to have it running on Win 64-bit but log the fact that it is not so secure? WDYT?

Christian Mueller wrote:

Maybe we should add a fallback to generate "not so strongly randomized data" to have
it running on Win 64-bit but log the fact that it is not so secure? WDYT?

+1
The Randomizer already comes with a fallback to mt_rand - but the problem is, that (in my case) it doesn't reach that fallback as it considers "00000000000000000000000000000000" as valid result.

Yep I see,

I guess it goes wrong around line 219 for you, maybe you check that out. It fills an array with zeros then uses the .NET crypto stuff, but finally it returns the array filled with zeros. For me this code looks plain wrong, I think this $variant thingy is filled with the random bytes and so its content needs to be returned there.

FYI: We have added two bug reports to the "Improved Security" project at SourceSorge

Patch set 2 of change I93c432e45071a3c5628e98b3fbefa7407c715c15 has been pushed to the review server.
It is available at http://review.typo3.org/5727