Random numbers play an important role in modern computer security. Many programs that use encryption need a good source of random numbers for producing session keys. For example, the PGP program uses random numbers for generating a random key which is used to encrypt the contents of electronic mail messages; the random key is then itself encrypted using the recipient's public key.
Random numbers have other uses in computer security as well. A variety of authentication protocols require that the computer create a random number, encrypt it, and send it to the user. The user must then decrypt the number, perform a mathematical operation on it, re-encrypt the number, and send it back to the computer.
A great deal is known about random numbers. Here are some general rules of thumb:
One of the best ways of generating a stream of random numbers is to make use of a random process, such as radioactive decay. Unfortunately, most UNIX computers are not equipped with Geiger counters. Thus, they need to use something else. Often, they use pseudorandom functions as random number generators.
A pseudorandom function is a function that yields a series of outputs which appears to be unpredictable. In practice, these functions maintain a large internal state from which the output is calculated. Each time a new number is generated, the internal state is changed. The function's initial state is referred to as its seed .
If you need a series of random numbers that is repeatable, you need a pseudorandom generator that takes a seed and keeps an internal state. If you need a non-reproducible series of random numbers, you should avoid pseudo- random generators. Thus, successfully picking random numbers in the UNIX environment depends on two things: picking the right random number generator, and then picking a different seed each time the program is run.