LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is the difference between a "normal" random number generator and a cryptographically secure one (CSPRNG)?

A normal RNG produces uniformly distributed numbers; a CSPRNG additionally guarantees its output is unpredictable — even given all previous outputs, the attacker can't guess the next one.

Property Normal RNG CSPRNG
Uniform distribution
High throughput Usually ✅ Often slower
Output unpredictable to attacker
Suitable for simulations, games, random sampling
Suitable for keys, IVs, tokens, salts ❌ NEVER

Java examples:

Use case Class
Normal java.util.Random (linear congruential — predictable from 1–2 outputs)
Cryptographic java.security.SecureRandom (CSPRNG, OS-seeded)

Other CSPRNGs by platform:

Platform Cryptographic source
Linux /dev/urandom (or getrandom(2))
Windows BCryptGenRandom / CNG
macOS/iOS SecRandomCopyBytes / CCRandomGenerateBytes
Python secrets module
Node.js crypto.randomBytes (never Math.random())
Go crypto/rand (never math/rand)

Tip: If a code review shows Math.random(), rand(), time(NULL), or mt19937 being used to generate keys, IVs, session IDs, password-reset tokens, etc. — that's a real finding. The output is recoverable from a few observations and the attacker can predict future tokens.

From Quiz: ISF / Symmetric Cryptography | Updated: Jul 14, 2026