[Mono-dev] Crypto secure random numbers

Sebastien Pouliot sebastien.pouliot at gmail.com
Tue Aug 14 08:37:56 EDT 2007


Hello Karl,

On Tue, 2007-08-14 at 00:34 -0700, Karl McClendon wrote:
> This probably isn't the best place to ask this question, but...
> 
> How does System.Security.Cryptography.RNGCryptoServiceProvider (and
> similar) handle random number generation?  

RNGCryptoServiceProvider implementation differs from platform to
platform (so the best answer is in the runtime source code ;-). For most
people this either means /dev/random (Linux) or CryptGenRandom (Windows)

> I am asking this because I am going to use this to generate symmetric
> encryption keys and I dont want my communications to be vulnerable to
> attacks against a predictable random number generator.
> 
> If the generator is not cryptographically secure, has very few
> entropic sources, relies on /dev/urandom, etc... please email me back
> and I will write a proper engine.

The right way to do this is to write a new class that inherits from
RandomNumberGenerator. 

If you wish it to be used from any "correctly-written"(*) class (e.g.
within the Mono framework) then you only need to modify your
machine.config so that your class can replace the default RNG (which is
normally RNGCryptoServiceProvider).

(*) Code that use, directly or indirectly, CryptoConfig to create
cryptographic objects. Sadly the framework itself doesn't enforce that
usage so user code may still call anything they want.
-- 
Sebastien Pouliot  <sebastien at ximian.com>
Blog: http://pages.infinit.net/ctech/




More information about the Mono-devel-list mailing list