IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [pseudo-random-number-generator]

A pseudorandom number generator (PRNG) is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers.

A PRNG-generated sequence is not truly random, because it is completely determined by an initial value, called the PRNG's seed (which may include truly random values). Although sequences that are closer to truly random can be generated using hardware random number generators, pseudorandom number generators are important in practice for their speed in number generation and their reproducibility.

A PRNG suitable for cryptographic applications is called a cryptographically secure PRNG (CSPRNG). A requirement for a CSPRNG is that an adversary not knowing the seed has only negligible advantage in distinguishing the generator's output sequence from a random sequence.

24 questions
15
votes
5 answers

Pseudorandom vs. True Random

Proper security algorithms demand true random numbers. For instance, secret keys & initialization vectors should never not be true random. However, generating numbers using Java's Random library or C's srand() initialization & then rand() are only…
mindoverflow
  • 277
  • 1
  • 5
4
votes
2 answers

Is Java's probablePrime used in production?

Prime numbers are core in security. I saw this question about Java's probablePrime and was wondering if that API/approach is indeed used for real production-ready security code or other approaches are preferred to ensure there is 0 possibility of…
Jim
  • 173
  • 4
4
votes
1 answer

Does rngd -r /path/to/file inject into /dev/urandom in addition to /dev/random?

I'm new to the /dev/random and /dev/urandom pipes in general and have an application calling from /dev/urandom which I'm attempting to inject entropy into. I'd prefer not to change the source for this application, but an additional process calling…
CoryG
  • 143
  • 3
3
votes
1 answer

Randomly generating invoice IDs

I'm in the process of setting up a local (i.e. offline and very limited) business, and I'm thinking of generating invoice IDs randomly to avoid the clients knowing that they're customer number #00000001 (and because I prefer something like #30549805…
Hashim Aziz
  • 969
  • 8
  • 21
3
votes
2 answers

Is this method of 32 char hash generation secure enough for online-based attacks?

A fellow developer and I have been having a discussion about how vulnerable a few different methods of developing a hash are, and I've come here to see if smarter people than I (us?) can shed some light. In PHP, I feel the below is secure ENOUGH to…
Brian Brownton
  • 131
  • 4
2
votes
1 answer

Did PHP's rand() get better?

I know that PHP used the system implementation for its rand() function, which is usually a weak LCG or LFSR implementation. Did this change? In case it still does, I am using Fedora 32. PHP states in its documentation that rand() does not create…
dmuensterer
  • 1,144
  • 4
  • 13
2
votes
1 answer

Is getting 1-2 outputs from a CSPRNG to seed another CSPRNG less entropy than getting say 5000 outputs from a CSPRNG and using that to seed?

This question builds off of this question. I want to create more entropy from a viable entropy source to seed another CSPRNG. If I use window.crypto.getRandomValues(newUint8Array(1)) To seed a CSPRNG, is that less entropy than if I…
user215466
1
vote
2 answers

How does /dev/random not leak future bytes from old ones

I want to generate 6 random words using Wiktionary and random numbers from /dev/random. I'll get a random number with /dev/random and then use the word from that index. I know /dev/random should be used to generate random keys, but if it's…
Xephobia
  • 13
  • 4
1
vote
1 answer

Does combining a non-cryptographically secure string with a cryptographically secure string result in a cryptographically secure string?

I'm using php, but the general question applies to any confirmed cryptographically secure pseudo-random string concatenated with a non-cryptographically secure string. I know random_bytes generates a cryptographically secure string I know converting…
TCooper
  • 336
  • 1
  • 8
1
vote
2 answers

Is it bad to reveal random bytes from a system?

Let's say you cat /dev/random or /dev/urandom all day from boot to system shutdown, either redirecting the output to a file, or just catting it (in a terminal, or whatever) doesn't matter. Is this insecure, or a bad idea? If so, why? Revealing…
William Martens
  • 177
  • 9
1
vote
1 answer

Is Python's `secrets` module using the same code as the `random` module?

The secrets module is marketed as a safe alternative to random for things that are meant to be secret. But what's the actual difference? Looking at their code, in some cases these libraries actually make reference to the same underlying…
random
  • 11
  • 1
1
vote
1 answer

Does a TPM replace the default device's security, or add to it?

Does a TPM replace the default device's security, or add to it? I will try to re formulate it into 2 questions, just to explain what my question is, since I am not very good at English writing. If we take randomness as a example: Does the TPM…
William Martens
  • 177
  • 9
1
vote
1 answer

What affect does modulus have on CSPRNG outputs?

I work in security and I've seen modulus (modulo) used in many encoding and crypto algorithms. However, today, a friend of mine mentioned that using modulo like this: unsigned long int result = some_CSPRNG_output % 556600; "Limits the security…
the_endian
  • 1,009
  • 1
  • 8
  • 17
1
vote
1 answer

What is the correct way to seed CSPRNG functions?

When using CSPRNG (crypto secure pseudo random number generation) functions seeding is an important step. So what is the best way to seed a random number function?
Lithilion
  • 1,669
  • 2
  • 7
  • 16
1
vote
1 answer

How can I validate that a PRNG's output is insecure and predictable?

Say I talk to a developer who is using some output of a Pseudo-random number generator in order to do some security task. I know based upon common knowledge that only Cryptographically Secure Pseudo Random Numbers should be used. However, I want to…
the_endian
  • 1,009
  • 1
  • 8
  • 17
1
2