Randomness is a hard problem for computers. For this reason most functions that generate randomness are not considered . That means that it is possible that an attacker can take a good guess at what number a non-secure randomness generator generated. cryptographically secure How can randomness be attacked? Many non-secure randomness (or entropy) generators would do something similar to the following: { hashedTime = sha256(timestamp) hashedTime % maxNumber
} ( ) function getRandom timestamp, maxNumber // Take the deterministic hash of the timestamp const // Reduce the hash to within the range [0, maxNumber) return This function (while ignoring some implementation details of modulus math by such a large number) will return random numbers that are based on the timestamp input, which is called the . If I pass in many different timestamps, the various outputs would . This is an example of a weak number generator. seed appear random pseudo-random A weak pseudo-random number generator works perfectly fine if one is trying to: Create sample data for an application Write a video game engine etc ... However, weak pseudo-randomness can be if one is trying to: catastrophically dangerous Generate Bitcoin keys Generate passwords or salts etc ... Strong Psuedo-Randomness (Cryptographically Secure) A software-only system like Qvault can at best generate strong pseudo-random data because we are working on deterministic systems. Without an outside source of entropy (like someone rolling dice and telling the computer each output), we are at the mercy of pseudo-randomness. crypto.randomBytes() Node's built-in crypto.randomBytes is a cryptographically secure random number generator that is based on . Depending on the operating system of the user, randomBytes will use openssl (unix) /dev/urandom or (windows) CryptoGenRandom While still pseudo-random sources, the important thing is that they are not guessable by an attacker. In other words, after using crypto.randomBytes() to generate a , an attacker can't recreate that code. recovery code in Qvault What do I do? In short, whenever you need raw random bytes. If you need a random number within a range, for example, a random number between 0-9, then use a non-biased function that uses as the source of entropy. For example: use crypto.randomBytes() crypto.randomBytes() node-random-number-csprng Good luck! Also, always check the source! By Lane Wagner Follow us on medium! https://medium.com/qvault Follow on Twitter @wagslane Previously published at https://qvault.io/2019/07/03/randomness-and-entropy-in-node-and-electron/

Twitter

The Government's Impact on Encryption

Stop With the Obfuscation: Encoding and Encryption are Not the Same

Learn to code on Boot.dev

Nominated for 2022 - HackerNoon Contributor of the Year - Algorithms

Nominated for 2022 - HackerNoon Contributor of the Year - Mathematics

Nominated for 2022 - HackerNoon Contributor of the Year - Cryptography

Nominated for Coding Guru of 2022

Nominated for 2022 - HackerNoon Contributor of the Year - Github

Nominated for 2022 - HackerNoon Contributor of the Year - Online Education

Nominated for 2022 - HackerNoon Contributor of the Year - Job Hunting

Nominated for Super Career Strategist of 2022

Too Long; Didn't Read

Boost your HackerNoon story @ $159.99! 🚀

Randomness and Entropy in Node and Electron

Randomness and Entropy in Node and Electron

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

A Complete Overview of Cryptography

102 Stories To Learn About Encryption

153 Stories To Learn About Cryptography

5 Books You Can Read to Boost Your Computer Science Knowledge

6 Not-so-obvious Tech Predictions

63 Stories To Learn About Quantum Computing

A Complete Overview of Cryptography

102 Stories To Learn About Encryption

153 Stories To Learn About Cryptography

5 Books You Can Read to Boost Your Computer Science Knowledge

6 Not-so-obvious Tech Predictions

63 Stories To Learn About Quantum Computing

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps