Randomness and Entropy in Node and Electron

Written by wagslane | Published 2020/02/29
Tech Story Tags: cryptography | electron | entropy | javascript | nodejs | randomness | random | programming

TLDR Most functions that generate randomness are not considered cryptographically secure. That means that an attacker can take a good guess at what number a non-secure randomness generator generated. Strong pseudo-randomness (or entropy) generators are not guessable by an attacker. A software-only system like Qvault can at best generate strong pseudo random data because we are working on deterministic systems. If you need a random number within a range of 0-9, then use non-biased function that uses crypto.randombytes() as the source of entropy.via the TL;DR App
Randomness is a hard problem for computers. For this reason most functions that generate randomness are not considered cryptographically secure. That means that it is possible that an attacker can take a good guess at what number a non-secure randomness generator generated.

How can randomness be attacked?

Many non-secure randomness (or entropy) generators would do something similar to the following:
function getRandom(timestamp, maxNumber){
  // Take the deterministic hash of the timestamp
  const hashedTime = sha256(timestamp)
  // Reduce the hash to within the range [0, maxNumber)
  return hashedTime % maxNumber
}
This function (while ignoring some implementation details of modulus math by such a large number) will return random numbers that are based on the timestamp input, which is called the seed. If I pass in many different timestamps, the various outputs would appear random. This is an example of a weak pseudo-random number generator.
A weak pseudo-random number generator works perfectly fine if one is trying to:
  • Create sample data for an application
  • Write a video game engine
  • etc ...
However, weak pseudo-randomness can be catastrophically dangerous if one is trying to:
  • Generate Bitcoin keys
  • Generate passwords or salts
  • etc ...

Strong Psuedo-Randomness (Cryptographically Secure)

A software-only system like Qvault can at best generate strong pseudo-random data because we are working on deterministic systems. Without an outside source of entropy (like someone rolling dice and telling the computer each output), we are at the mercy of pseudo-randomness.

crypto.randomBytes()

Node's built-in crypto.randomBytes is a cryptographically secure random number generator that is based on openssl. Depending on the operating system of the user, randomBytes will use
/dev/urandom (unix)
or
CryptoGenRandom (windows)
While still pseudo-random sources, the important thing is that they are not guessable by an attacker. In other words, after using crypto.randomBytes() to generate a recovery code in Qvault, an attacker can't recreate that code.

What do I do?

In short, use crypto.randomBytes() whenever you need raw random bytes. If you need a random number within a range, for example, a random number between 0-9, then use a non-biased function that uses crypto.randomBytes() as the source of entropy. For example:
node-random-number-csprng
Good luck! Also, always check the source!
By Lane Wagner
Previously published at https://qvault.io/2019/07/03/randomness-and-entropy-in-node-and-electron/
Written by wagslane | Founder of Boot.dev. Whining about coding sins since 2011. Committing coding sins for the same.
Published by HackerNoon on 2020/02/29
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy