Chapter 9

Random Number

Random Number
 Randomness
 Random Number Generator (RNG)
 HRNG
 PRNG
 Entropy
 Seed (Initial Entropy)
 Insecure Randomness
 Random Number in Python (PRNG)
 CSPRNG
 Random Number in Python (CSPRNG)

1
Randomness
 Randomness (entropy) plays an important role in the
cryptography.
 Random number should be unpredictable to prevent the
algorithms to be compromised.
 Example:
 Assume a secret key is used to protect the financial assets.
 This secret key should be randomly generated – nobody able to
generate or have the same key.
 If the key is generated from a secure random generator, the it will be
unpredictable and the system will be secure.
 Therefore "secure random" means simply "unpredictable random".

Random Number Generator (RNG)

 Random number generator (RNG) generates a set of
values that do not display any distinguishable patterns
in their appearance.
 The RNG are divided into two categories:
 Hardware random number generator (HRNG) or True
random number generator (TRNG)
 Pseudo-random number generator (PRNG)

2
HRNG
Hardware random-number generator (HRNG)
 It is believed to produce genuine random numbers.
 It is a device that generates random numbers from a physical
process, rather than by means of an algorithm.
 It may generate values based on real random physical effects
or attributes such as atmospheric, thermal conditions.
 Example of HRNG:
 flip a coin or toss a dice
 lottery machine

PRNG
Pseudo-random number generator (PRNG)
 It generate values based on software algorithms.
 However, these values are deterministic and can be
reproduced, if the algorithm is known.
 Hence, secure PRNG is used – Cryptography Secure Random
Number Generator(CSPRNG)
 It combined entropy with PRNG and other techniques to make
the generated randomness unpredictable.

3
Entropy
 Entropy is the measurement of uncertainty or disorder in
a system, and is usually measured in bits.
 Good entropy comes from the surrounding environment
which is unpredictable and chaotic.
 Entropy can be obtained from many hard-to-predict
events in the computer: keyboard clicks, mouse moves,
network activity, camera activity, microphone activity
and others, combined with the time at which they occur.

Seed (Initial Entropy)

 To be secure, a PRNG should start by a truly random
initial seed, which is absolutely unpredictable.
 If the seed is predictable, it will generate predictable
sequence of random numbers and the entire random
generation process will be insecure.
 The unpredictable randomness at the start (secure
seed) is very important.

4
Insecure Randomness
 Insecure compromised randomness can compromise
cryptography.
 A story of the stolen Bitcoins due to broken random
generator in Android: https://goo.gl/PFE1kr.
 Example:

 The code generates a random number, but this number may be predictable.
 The random library in Python (old versions) initializes the random generator seed
by the current time.
 If someone know the current time when machine generating the random number,
he is able to predict the random seed and the random numbers generated.

Insecure Randomness
Another Example:
• The code prints two equal numbers,
both depending on the current time.
• It is obvious that the same time in the
initial seed causes the same
(predictable) pseudo-random
numbers to be generated in the
output

5
Random Number in Python (PRNG)
 A random number generator is a code that generates a
sequence of random numbers based on some conditions
that cannot be predicted other than by random chance.
 Random numbers are not truly random, rather they are
pseudo-random numbers.
 The built-in Python random module implements pseudo-
random number generators for various distributions.
 However, this module is not cryptographically secure.

Random Number in Python (PRNG)

Built-in functions for random module
Function Description
randint(x, y) Generates a random integer from x to y, including the x and y.
randrange(start, stop, step) Generates a random integer in the range(start, stop, step).

start − Start point of the range. This would be included in the range. Optional
stop − Stop point of the range. This would be excluded from the range.
step − Steps to be added in a number to decide a random number. Optional
random() Generates a random floating-point number in the interval [0,1]
seed(x) Generates the same sequence of random numbers every time seed(x) is invoked.
sample(population, k) Selects k unique random elements from a population sequence or set.
choice(seq) Chooses a random element from a non-empty sequence seq.
choices(seq, k) Chooses k multiple random elements from a non-empty sequence seq.
shuffle(x) Shuffles list x in place (reorganize the order of the list items).

6
Random Number in Python (PRNG)
The Seed:
 The seed value is a base value to generate a random number.
 In Python, the seed value is provided with the random.seed()
function.
 seed() is deterministic, meaning given the same seed, it will
produce the same sequence of numbers every time.
 If seed value is not present:
 the current system time is used as a seed value
 the OS’s randomness sources is used to set the seed value

Random Number in Python (PRNG)

Random number without seed

• The random.random() function returns a random float in

the interval [0.0, 1.0].
• The random numbers returned will be different based on
the current system time or OS’s randomness sources.
• Values are drawn from a uniform distribution, meaning
each value has an equal chance of being drawn.

7
Random Number in Python (PRNG)
Random number with same seed

the seed() method is used to customize the start

number of the random number generator.

The same seed value produces the same pseudo-

random values.

Random Number in Python (PRNG)

Set system time as a seed value

The seed value based on system time produces the different pseudo-random values.

8
Random Number in Python (PRNG)
Get a seed value by a random generator

• Random generator of Python does not store the custom seed value in memory.
i.e., It does not provide any method to get the current seed value.
• This method is time-based, it produces a different seed each time it is executed.
• The seed can be kept to produce the same result.

Random Number in Python (PRNG)

random.randint() function

random.randint function generates integers between values [x, y].

9
Random Number in Python (PRNG)
random.choice(), random.sample() and random.shuffle()

CSPRNG
 Cryptography Secure Random Number Generator
(CSPRNG) is pseudo-random number generator (PRNG)
with properties that make them suitable for use in
cryptography.

 The properties of CSPRNG:

 It appears random
 Its value is unpredictable in advance
 It cannot be reliably reproduced after generation

10
Random Number in Python (CSPRNG)
 Two library modules in Python provides entropy to
generate cryptographically secure random numbers
 secrets module
 uuid module

 Both modules get entropy from the operating system,

through the os module’s os.urandom() method.

Random Number in Python (CSPRNG)

os.urandom() function
os.urandom(size)
It returns a string of size random bytes suitable for cryptographic use.
It uses system entropy sources to have a better random generation.
Entropy sources are unpredictable, like asynchronous events.
For instance, the frequency of hitting the keyboard keys is unpredictable.
Interrupts from other devices can also be unpredictable.

11
Random Number in Python (CSPRNG)
Secrets module
 The random numbers generated by the random module are
pseudo-random numbers and are not cryptographically secure.
Warning on the random module official documentation page

 Hence, the secrets module was introduced into Python 3.6

onwards.
 Functions in secrets module is divided into two sections —
generating random numbers and generating tokens.
https://docs.python.org/3/library/random.html

Random Number in Python (CSPRNG)

Secrets module (generate random numbers)
 secrets.randbits(k) — returns a random integer with k-bits.
Example below returns a random integer formed with 8-bits.
 If k=4 then the random integer will be from 0 to 15.
 if k=8 then the random integer will be from 0 to 255.
 If k=16 then the random integer will be from 0 to 65,535
 secrets.randbelow(n) — returns a random integer in the
range 0-n (excluding n).
 secrets.choice(sequence) — returns a random element from
a non-empty sequence.

12
Random Number in Python (CSPRNG)
Secrets module
(generate random numbers)

Random Number in Python (CSPRNG)

Secrets module (generate random numbers)
 secrets.SystemRandom()
 The SystemRandom is a class uses os.urandom() function
for generating the secure random numbers.
 SystemRandom class is used to generate secure and
cryptographically strong random numbers/tokens.
 All the random module functions/methods can be assessed
using the SystemRandom object.

13
Random Number in Python (CSPRNG)
Secrets module (generate random numbers)

Random Number in Python (CSPRNG)

Secrets module (generate tokens)
 The secrets module also provides functions that can be used for
applications such as password reset, hard-to-guess URLs, etc.
 Tokens need to have sufficient randomness to secure against
brute-force attacks and timing attacks.
 As per experts, 32 bytes (256 bits) of randomness is enough to
secure against brute-force attacks.

14
Random Number in Python (CSPRNG)
Secrets module (generate tokens)

Generating tokens
secrets.token_bytes(n) – it return a random byte string containing n number of bytes.

secrets.token_hex(n) – it return a random text string in hexadecimal (each byte

converted to two hex digits).

secrets.token_urlsafe(n) – it return a secure random URL-safe text string,

containing n bytes random bytes. Use this method to generate secure hard-to-guess
URLs.

Random Number in Python (CSPRNG)

Secrets module (generate tokens)
16 token bytes

15
Random Number in Python (CSPRNG)
Built-in functions for secrets module
Function Description

secrets.SystemRandom() Get an instance of the secure random generator

secrets.randbelow(n) Generate a secure random integer number

secrets.choice(seq) Returns a secure random element from a non-empty sequence

secrets.randbits(k) returns a secure unsigned integer with k random bits

secrets.token_bytes(n) Return a secure random byte string

secrets.token_hex(n) Return a secure random text string, in hexadecimal format

secrets.token_urlsafe(n) Return a secure random URL-safe text string

Random Number in Python (CSPRNG)

UUID
 UUID stands for Universally Unique Identifier.
 A UUID is 128 bits number to uniquely identify the
documents, Users, resources or information in computer
systems.
 UUID can guarantee the uniqueness of Identifiers across
space (based on the standard) and time.
 It provides the uniqueness as it generates ids on the basis of
time, computer hardware (MAC etc.).

16
Random Number in Python (CSPRNG)
UUID in Python
 Python has built-in support to generate Version 1, 3, 4 and 5
UUIDs.
 UUID1 generates UUID using a Host MAC address, sequence
number and the current time. This version uses the IEEE 802
MAC addresses.
 UUID3 and UUID5 uses cryptographic hashing and application-
provided text strings to generate UUID. UUID 3 uses MD5
hashing, and UUID5 uses SHA-1 hashing.
 UUID4 uses pseudo-random number generators to generate
UUID.

Random Number in Python (CSPRNG)

uuid1() function

uuid1 is not safe as it has privacy concerns because it shows the

computer’s network address in UUID.

17
Random Number in Python (CSPRNG)
uuid4() function

The UUID generated using a uuid4() function is created using a truly

Random or Pseudo-Random generator

Random Number in Python (CSPRNG)

uuid3() function
UUID 3 uses MD5 hashing

It means a fully qualified domain name

18
Random Number in Python (CSPRNG)
uuid5() function
UUID 5 uses SHA-1 hashing

It means a fully qualified domain name

Random Number in Python (CSPRNG)

Usage of UUID
 to generate unique Uniform Resource Names – a fixed size (128
bits) that is reasonably small compared to other alternatives.
 The generated UUID does not require a registration process.
 The used applications is in cryptography and cybersecurity.
 It is also used in bank to create a transaction ID when user
deposit the money.
 It can be used to generate the unique session id to help state
management.

19