Randomness Is the Foundation
Almost every cryptographic operation depends on unpredictable values: keys, salts, IVs, nonces, and tokens. If that randomness is predictable, an attacker can guess or recompute these values and the strongest cipher becomes useless.
Not All Randomness Is Equal
A general purpose random function used for shuffling or simulations is often a pseudo random generator seeded from a predictable value. It produces statistically random looking output but is not unpredictable to an attacker who learns the seed.
Cryptography needs a cryptographically secure random number generator, or CSPRNG, which draws from entropy, the genuine unpredictability the operating system gathers from hardware events.
- Use the operating system secure source for all security values.
- Never use a fast general purpose random function for keys or tokens.
- Ensure enough entropy is available before generating long lived keys.
Key idea
Cryptographic security collapses if randomness is predictable, so always draw keys, nonces, and tokens from a cryptographically secure generator backed by real entropy rather than an ordinary random function.