

Ask HN: What's the most secure cross-platform RNG option? - nulldata

I&#x27;m writing a very encryption heavy piece of software, and security is very important. With the big focus on RNG lately, I&#x27;ve really wanted to know what is the most secure. Hardware is ruled out due to possible backdooring.
======
tptacek
Just use /dev/urandom.

------
throwaway812
Just read from `/dev/urandom` (free Unices). It doesn't require any 3rd party
libraries, always exists, and has a great track record compared to e.g.
OpenSSL.

<editorializing>On Windows (or proprietary Unix), you can't verify the
implementation of any option for randomness.</editorializing>

------
rosenjon
You could try this out.
[http://www.random.org/clients/http/](http://www.random.org/clients/http/)

Of course, there is a trust issue with this service potentially. However,
supposedly, they use a random noise technique that is "true random".

~~~
nulldata
I can't expect the user to have an internet connection when needed. And having
to send something vital as this over an HTTP is just not an option.

~~~
tptacek
If those are the only two reasons you wouldn't get crypto randomness directly
from "random.org", you shouldn't be designing cryptosystems to begin with.

------
andrewcooke
you ask for cross-platform and you don't define "most secure". so it seems
like the "right" answer is the one that is believed to be secure and is as
cross-platform as possible. and i think that would be openssl.

it's famous for causing bugs/weaknesses from being used incorrectly, but afaik
it's secure if used correctly. and it compiles on a wide range of hardware.

