Cryptographically Secure Random Numbers in Unix-Linux
2025-07-22 blogpage til crypto cryptography python
https://x.com/i/grok/share/wEuX4JkCpt7EtAEm1wiuW9tb4
The default random
library in Python (and in most other programming languages) is not secure for generating private keys.
import random
def insecure_private_key():
return hex(random.getrandbits(256))[2:]
# cd6fd587101f73ab881fe377b5d87343a4e094dc8dcaa3cc54aef47670e1bfac
The random
module uses the Mersenne Twister Algorithm, which is deterministic, which means it can be predicted if the seed is known. This makes it vulnerable to state recovery attacks.
For having secure random numbers, you need to get it either from /dev/urandom
file in or by getrandom()
syscall (in Unix/Linux).
All options I could find are:
From
/dev/urandom
fileread directly
read indirectly
by
os.urandom(32)
who reads fromdev/urandom
by
random.SystemRandom
who reads fromos.urandom(32)
by
secrets
who built on top ofrandom.SystemRandom
From
getrandom()
syscall (Linux)provides direct, secure access to the kernel entropy pool without going through the file system.
considered more secure and reliable than
dev/urandom
From the Hardware
From ANU Quantum Random Numbers
e.g.
curl "https://qrng.anu.edu.au/API/jsonI.php?length=32&type=uint8"
They offer real quantum random numbers for anyone on the internet. They rate limit by 1 per minute.
The /dev/urandom
is a cryptographically secure pseudorandom number generator (CSPRNG).
How does dev/urandom
generated? How frequently does it change?
def secure_private_key():
return secrets.token_bytes(32).hex()
# cc9e7116e58c321f11c0116a5b34f883c730e69cae8ccb24b0c8b37046ea2f51
Aspect | random |
secrets |
---|---|---|
🔒 Security | ❌ Not secure — predictable if seed/state is known | ✅ Secure — uses CSPRNG, safe for cryptographic use |
🧠 Predictability | ❌ Predictable (Mersenne Twister algorithm) | ✅ Unpredictable |
🕹️ Use Case | Simulations, games, statistics, shuffling, sampling | Generating tokens, passwords, keys, secure IDs |
🐢 Performance | ✅ Faster (no need for entropy source) | ❌ Slower (due to system entropy and security checks) |
📚 Functionality | Rich API: shuffle() , gauss() , choice() , etc. |
Minimal API: choice() , token_bytes() , randbelow() |
🧪 Repeatability | ✅ Reproducible with random.seed() |
❌ No reproducibility — by design |
🧬 Determinism | ✅ Deterministic | ❌ Non-deterministic |
🧯 Resilience to Attack | ❌ Vulnerable to state-recovery and prediction attacks | ✅ Resists all known attacks (via OS CSPRNG) |
🕰️ Availability | Available since early Python versions | Introduced in Python 3.6 (2016) |
🏗️ Underlying Source | Mersenne Twister PRNG | OS-level CSPRNG (/dev/urandom , CryptGenRandom , etc) |
Also see:
Incoming Internal References (0)
Outgoing Internal References (4)
-
The `random` module uses the [[Mersenne Twister Algorithm|Mersenne Twister Algorithm]], which is deterministic, which means it can be predicted if the seed is known. This makes it vulnerable to [[state recovery attack|state recovery attacks]].
-
The `random` module uses the [[Mersenne Twister Algorithm|Mersenne Twister Algorithm]], which is deterministic, which means it can be predicted if the seed is known. This makes it vulnerable to [[state recovery attack|state recovery attacks]].
-
3. From the Hardware
1. [[Hardware-Based Randomness]]
4. From [ANU Quantum Random Numbers](https://quantumnumbers.anu.edu.au/) -
The `/dev/urandom` is a [[cryptographically secure pseudorandom number generator (CSPRNG)|cryptographically secure pseudorandom number generator (CSPRNG)]].
Outgoing Web References (5)
-
quantumnumbers.anu.edu.au
- ANU Quantum Random Numbers
-
chatgpt.com/s/t_687f9e634624819192c7c18ad6320ec1
- How does `dev/urandom` generated? How frequently does it change?
-
learnmeabitcoin.com/technical/keys/private-key
- Private Key - A Very Large Random Number
-
aragonie.com/blog/2016/05/how-generate-secure-random-numbers-in-various-programming-languages
- How to Generate Secure Random Numbers in Various Programming Languages - Paragon Initiative Enterprises Blog
-
www.2uo.de/myths-about-urandom
- Myths about devurandom