14.1 Create a Cryptographically Random Number
14.1 Create a Cryptographically Random Number
Problem
You need to create a random number that's suitable for use in cryptographic and security applications.
Solution
Use a cryptographic random number generator such as the System.Security.Cryptography.RNGCryptoServiceProvider class.
Discussion
The System.Random class is a pseudorandom number generator that uses a mathematical algorithm to simulate the generation of random numbers. In fact, the algorithm it uses is deterministic, meaning that you can always calculate what the next number will be based on the previously generated number. This means that numbers generated by the Random class are unsuitable for use in situations in which security is a priority, such as generating encryption keys and passwords.
When you need a nondeterministic random number for use in cryptographic or security- related applications, you must use a random number generator derived from the class System.Security.Cryptography.Random- NumberGenerator . The RandomNumberGenerator class is an abstract class from which all concrete .NET random number generator classes should inherit. Currently, the RNGCryptoServiceProvider class is the only concrete implementation provided. The RNGCryptoServiceProvider class provides a managed wrapper around the CryptGenRandom function of the Win32 CryptoAPI, and you can use it to fill byte arrays with cryptographically random byte values.
| Important | The numbers produced by the RNGCryptoServiceProvider class aren't truly random. However, they are sufficiently random to meet the requirements of cryptography and security applications in most commercial and government environments. |
As is the case with many of the .NET cryptography classes, the RandomNumberGenerator base class is a factory for the concrete implementation classes that derive from it. Calling RandomNumberGenerator.Create("System.Security.Cryptography.RNGCryptoServiceProvider") will return an instance of RNGCryptoServiceProvider that you can use to generate random numbers. In addition, because RNGCryptoServiceProvider is the only concrete implementation provided, it's the default class created if you call the Create method without arguments, for example, RandomNumberGenerator.Create() .
The following example instantiates an RNGCryptoServiceProvider object and uses it to generate random values. The method GetBytes fills a byte array with random byte values. As an alternative, you can use the GetNonZeroBytes method if you need random data that contains no zero values.
using System; using System.Security.Cryptography; public class SecureRandomNumberExample { public static void Main() { // Create a byte array to hold the random data. byte[] number = new byte[32]; // Instantiate the default random number generator. RandomNumberGenerator rng = RandomNumberGenerator.Create(); // Generate 32 bytes of random data. rng.GetBytes(number); // Display the random number. Console.WriteLine(BitConverter.ToString(number)); } } | Warning | The computational effort required to generate a random number with RNGCryptoServiceProvider is significantly greater than that required by Random . For everyday purposes, the use of RNGCryptoServiceProvider is overkill. You should consider the quantity of random numbers you need to generate and the purpose of the numbers before deciding to use RNGCryptoServiceProvider . Excessive and unnecessary use of the RNGCryptoServiceProvider class could have a noticeable effect on application performance. |
![C# Programmer[ap]s Cookbook](/icons/blank_book.jpg "C# Programmer[ap]s Cookbook"){kind=icon}