Non-cryptographic PRNG

From Guidance Share

Revision as of 05:44, 17 August 2007; GardenTender (Talk | contribs)
(diff) ←Older revision | Current revision | Newer revision→ (diff)
Jump to: navigation, search



The use of Non-cryptographic Pseudo-Random Number Generators (PRNGs) as a source for security can be very dangerous. The sequence of 'random' numbers are actually predictable.

Applies To

  • Languages: All languages.
  • Operating platforms: All platforms.


rand() is the most commonly used non-cryptographic PRNG:

int randNum = rand();


  • Authentication: Potentially a weak source of random numbers could weaken the encryption method used for authentication of users. In this case, a password could potentially be discovered.


  • Use of a non-cryptographic PRNG for cryptographic tasks (such as key generation).


  • Design through Implementation: Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.

Vulnerability Patterns

How Tos

Personal tools