Is there any fast implementation of cryptographically secure pseudorandom number generator (CSPRNG) for C# 3.0 (.NET Framework 3.5), for authentication tokens?
How can I generate a cryptographically secure pseudorandom number in C#?
Asked Answered
using System.Security.Cryptography;
...
using(RandomNumberGenerator rng = new RNGCryptoServiceProvider())
{
byte[] tokenData = new byte[32];
rng.GetBytes(tokenData);
string token = Convert.ToBase64String(tokenData);
}
Cryptanalysis of the WinAPI GUID generator shows that, since the sequence of V4 GUIDs is pseudo-random, given the initial state one can predict up to the next 250 000 GUIDs returned by the function UuidCreate. This is why GUIDs should not be used in cryptography, e.g., as random keys. (from en.wikipedia.org/wiki/Globally_Unique_Identifier) –
Torras
This isn't specifically cryptography, tho. And, it would be difficult to predict the initial state of the machine. –
Vadnais
A common attack is to DDoS a server until it is restarted. Then predicting the initial state (system clock) is much easier. –
Kun
Upd 2022
in .Net 6 RNGCryptoServiceProvider() is obsolete, usage of static methods of RandomNumberGenerator is recommended
private string GetRandomlyGenerateBase64String(int count)
{
return Convert.ToBase64String(RandomNumberGenerator.GetBytes(count));
}
That depends on what you mean by fast...
There is no really fast secure random generator. If you want fast, you should use the regular Random class. If you want secure you should use the random generator in the Cryptography namespace, but that is significantly slower. You simply can't have both.
If you're willing to do interop with a native crypto implementation you can have both excellent performance (several times faster than
System.Random) and security. –
Enugu @CodesInChaos: So; fast, secure, simple - pick any two. :) –
Schram
© 2022 - 2024 — McMap. All rights reserved.