Generating cryptographically safe random numbers.

I saw the following article on CNN: Simple passwords no longer suffice (June 1, 2004) which reminded me of the RNGCryptoServiceProvider class.

Do you generate random numbers for cryptographic purposes?

If so, check that your code uses the System.Security.Cryptography.RNGCryptoServiceProvider class to generate random numbers, and not the Random class. The Random class does not generate truly random numbers that are not repeatable or predictable.

Quoted from: Improving Web Application Security: Threats and Countermeasures [Chapter 21 – Code Review]

3 Comments

  • hell I use it for all random numbers that matter....

  • Well technically the RNGCryptoServiceProvider won't generate TRULY random numbers either will it? More likely they're just more random than the Random method, it's just another PRNG (Pseudo Random Number Generator) - it anyone aware of the algo used by this method, Yarrow, Fortuna?

  • Free TIP:

    Random class is not sealed.



    As result you can easily create SecureRandom adapter RandomNumberGenerator -> Random to not change your code too much and be a little bit more (it's never enough ;o) secure.



    I wounder why Microsoft has not supplied this yet. It will be nice to be able retrive Random adapter from RandomNumberGenerator instance. Navigating to betaplace. Done 319404459 ;o)



    Scott:

    RNGCryptoServiceProvider can be both software and hardware (like Intel RNG) random number generators.



    Example:

    using System.Security.Cryptography;



    const int PROV_INTEL_SEC = 22;

    [...]

    CspParameters param = new CspParameters(PROV_INTEL_SEC);

    RNGCryptoServiceProvider prov = new RNGCryptoServiceProvider(param);

    byte[] buff = new byte[100];

    prov.GetBytes(buff);



    For list of installed providers take a look on

    HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types

Comments have been disabled for this content.