Random numbers

Randomness has always interested humankind: divination claims to see messages in everyday random patterns like tea leaves; in gambling games the outcome is often determined by some randomising device such as throwing dice or shuffling cards. Random numbers are also needed in activities like statistical sampling, computer simulation and cryptography – Secure Sockets Layer (SSL), Kerberos and other authentication protocols are based on random numbers. So, in this column, I’ll review the support for generating random numbers in the .NET Framework, as ever illustrating using PowerShell scripts.

The earliest random number generators (RNGs) were dice, and their use dates back to ancient Egypt, where they were used as the key element in various games of chance. As it turns out, dice are pretty good RNGs so long as they’re not loaded so they choose certain numbers too frequently. One of their limitations is the speed of output, since you can generate numbers no faster than you can throw the dice – they’re not really a practical method for generating large volumes of random data. Today’s personal computers have support for generating “random numbers”, although strictly speaking such computer-generated numbers aren’t truly random, but only pseudo-random. Vendors have developed a variety of algorithms that generate number sequences that pass all the statistical tests used to distinguish random sequences from those containing internal order: at www.fourmilab.ch/random you’ll find a program you can use to assess the quality of a random number generator’s output. This program, ent.exe, reports how random the output appears to be. If you use a high-quality random number generator, its output is indistinguishable from a sequence of bytes chosen at random, though “indistinguishable” isn’t quite the same as genuinely random.

To get really random numbers, you have to turn to nature. One interesting resource is HotBits, which generates genuinely random number sequences by detecting radioactive decay events using a Geiger-Müller counter attached to a computer. The counter blips whenever a nucleus in a sample of Caesium 137 decays to Barium – it’s a physical certainty that such decays will occur, but the length of time between any two decays is random. HotBits detects the events and outputs the intervals as random numbers. You can use HotBits in your programs by filling in a web form at www.fourmilab.ch/hotbits/secure_generate.html, specifying how many random numbers you need and in what format, the result being returned as a web page. The screenshot shows some HotBits output – I requested ten random passwords, each made up of 16 letters and numbers (as an IT pro, you could use such randomly generated passwords for Windows Server service account passwords).

The site claims it keeps no record of the random numbers returned, but if you were planning on using HotBits to produce random data for cryptography or any other high-security application you’d probably want more convincing that the site is indeed not keeping your numbers – as with so many things on the web, caveat emptor.

If such issues concern you, there are other hardware solutions that enable you to self-host a physical generator. One example is Quantis, a physical random number generator (www.idquantique.com). Quantis is available as an OEM component that a computer manufacturer might mount on a motherboard, and it’s also supplied as a PCI card or as an external USB device. The USB version has drivers for Windows 2000 and XP, as well as Linux 2.4 and 2.6; the PCI card comes with Windows drivers as well as support for Sun Solaris (8, 9 and 10 for Sparc, X86 and X64), BSD and Linux (2.4 and 2.6). Vista isn’t supported explicitly yet, and there don’t appear to be any HCL signed drivers, which would be an issue for 64-bit versions of Vista that require drivers to be signed.