CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) is a random number generator that produces output suitable for use in cryptographic operations, where predictability would be a security vulnerability.
CSPRNG
CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) is a random number generator that produces output suitable for use in cryptographic operations, where predictability would be a security vulnerability.
Why It Matters
Weak random number generators produce predictable tokens, keys, and nonces — enabling attackers to guess credentials. Using a non-CSPRNG for security-critical values is a critical vulnerability that has led to real-world exploits.
How It Works
CSPRNGs use entropy from hardware sources (timing jitter, interrupt timing, thermal noise) combined with cryptographic algorithms to produce unpredictable output. In Node.js, `crypto.randomBytes()` uses the OS CSPRNG; in browsers, `crypto.getRandomValues()` does the same.
Best Practices
- Always use the platform CSPRNG (crypto.randomBytes, crypto.getRandomValues)
- Never use Math.random() for security-sensitive values
- Ensure sufficient entropy at application startup
Common Mistakes
- Using Math.random() for token generation
- Seeding a PRNG with predictable values (timestamps, PIDs)
- Implementing custom random generators instead of using the platform
How ShieldKey Helps
ShieldKey generates all Shield Tokens using Node.js crypto.randomBytes() — a CSPRNG backed by the operating system's entropy source. Tokens are cryptographically unpredictable.
Try ShieldKey FreeFAQ
What is a CSPRNG?
A CSPRNG is a random number generator designed for security. Unlike Math.random(), its output cannot be predicted even by an attacker who knows previous outputs.