I am looking for a good way to generate secure random numbers in Node.js. One answer that I have found and am using is crypto.randomInt(). Is this method cryptographically secure? Are there better options?
Is `crypto.randomInt()` cryptographically secure?
Asked Answered
The crypto module provides cryptographic functionality that includes a set of wrappers for OpenSSL's hash, HMAC, cipher, decipher, sign, and verify functions.
So yes, you'd expect that this is secure, assuming that OpenSSL's random number generator is secure. There are very specific circumstances where the OS doesn't provide enough randomness which may mean that the OpenSSL random number generator is not well seeded. However, on a normal PC / server you'd expect it to be secure.
As always, you cannot create entropy using a deterministic system. So you should always make sure that a well seeded system random is available for the particular runtime. For VM's that generally means installing the client extensions, for instance, so that the hosts random pool can be accessed.
Creating your own entropy is very challenging - basically it is best to rely on the system provided random number generator anyway. The only thing you can basically do is to verify that the installation of the various software components has been performed correctly. So the OS and the OpenSSL library that is used should be configured correctly (e.g. compile flags). –
Del
© 2022 - 2024 — McMap. All rights reserved.
crypto.randomInt()does not accept any seed. So how can I make sure that the rng is well seeded? – Menam