Quiz Entry - updated: 2026.07.14
What is the difference between a "normal" random number generator and a cryptographically secure one (CSPRNG)?
A normal RNG produces uniformly distributed numbers; a CSPRNG additionally guarantees its output is unpredictable — even given all previous outputs, the attacker can't guess the next one.
| Property | Normal RNG | CSPRNG |
|---|---|---|
| Uniform distribution | ✅ | ✅ |
| High throughput | Usually ✅ | Often slower |
| Output unpredictable to attacker | ❌ | ✅ |
| Suitable for simulations, games, random sampling | ✅ | ✅ |
| Suitable for keys, IVs, tokens, salts | ❌ NEVER | ✅ |
Java examples:
| Use case | Class |
|---|---|
| Normal | java.util.Random (linear congruential — predictable from 1–2 outputs) |
| Cryptographic | java.security.SecureRandom (CSPRNG, OS-seeded) |
Other CSPRNGs by platform:
| Platform | Cryptographic source |
|---|---|
| Linux | /dev/urandom (or getrandom(2)) |
| Windows | BCryptGenRandom / CNG |
| macOS/iOS | SecRandomCopyBytes / CCRandomGenerateBytes |
| Python | secrets module |
| Node.js | crypto.randomBytes (never Math.random()) |
| Go | crypto/rand (never math/rand) |
Tip: If a code review shows Math.random(), rand(), time(NULL), or mt19937 being used to generate keys, IVs, session IDs, password-reset tokens, etc. — that's a real finding. The output is recoverable from a few observations and the attacker can predict future tokens.