Why Randomness Matters
Cryptographic keys, nonces, and IVs must be unpredictable. If an attacker can guess your random numbers, they can break your encryption regardless of the algorithm strength.
Critical: Weak randomness has broken real systems: Debian OpenSSL (2008), Android Bitcoin wallets (2013), and countless smart cards. Never use Math.random() or similar for crypto!
Types of RNG
TRNG
True random from physical phenomena
HardwareCSPRNG
Cryptographically Secure Pseudo-RNG
SoftwarePRNG
Regular pseudo-random (NOT for crypto!)
InsecureSecure Sources
Platform-Specific CSPRNGs
Linux: /dev/urandom, getrandom()
Windows: CryptGenRandom(), BCryptGenRandom()
macOS: SecRandomCopyBytes()
Browser: crypto.getRandomValues()
Python: secrets module
Node.js: crypto.randomBytes()
Entropy Sources
User InputKeyboard timing, mouse movements
Disk TimingHDD seek time variations
NetworkPacket arrival timing jitter
Hardware RNGIntel RDRAND, ARM RNDR
Common Mistakes
- Using Math.random() or rand()
- Seeding with time alone
- Using /dev/random (blocks unnecessarily)
- Reusing nonces or IVs
- Rolling your own PRNG