CryptoSys Home >
API >
Secure random number cryptography software
Most cryptographic procedures require random numbers.
Many security applications have failed or been severely compromised because their
random number generators failed to be sufficiently random.
In particular, the rand() or Rnd() functions provided with programming
languages like Visual Basic, C and Perl are not secure from a cryptographic point of view.
For more details and examples see
Software Generation of Practically Strong Random Numbers by
Peter Gutmann.
Many procedures use a random session key to encrypt the body of the message. If this key
is ever compromised - because the random numbers are predictable or can be manipulated before
being generated -
an opponent who has had access to your encrypted messages
can decipher them at his leisure.
You do not use the standard Rnd() or rand() to generate your random
session keys!
As of September 2007, the random number generators (RNG) in CryptoSys API and the CryptoSys PKI Toolkit, use the techniques from NIST SP 800-90 Recommendation for Random Number Generation Using Deterministic Random Bit Generators, March 2007 (pdf, 535 kB). This is now an Approved random number generator applicable to FIPS PUB 140-2 as per Annex C: Approved Random Number Generators for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, January 24, 2007 (pdf, 129 kB). We also include the tests required to conform to FIPS PUB 140-2 Security Requirements for Cryptographic Modules (pdf, 1.4 MB).
The algorithm used for our RNG generators
has been
published for peer review and comment.
For more information or to comment on this page, please send us a message.
This page last updated 15 August 2025.
