5

Is there a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) in Javascript?

I know I can generate a pseudo-random number using

Math.random();

function getRandomInt(max) {
  return Math.floor(Math.random() * Math.floor(max));
}

In Python I would use secrets() instead of random().

import secrets alphabet = string.ascii_letters + string.digits password = ''.join(secrets.choice(alphabet) for i in range(8))

In Go I would use the crypto.rand package instead of the math/rand package.

package main

import (
    "bytes"
    "crypto/rand"
    "fmt"
)

func main() {
    c := 10
    b := make([]byte, c)
    _, err := rand.Read(b)
    if err != nil {
        fmt.Println("error:", err)
        return
    }
    fmt.Println(bytes.Equal(b, make([]byte, c)))

}

Is there an equivalent in javascript?

Improve this question
5
  • Are you working in the browser or node? Commented Oct 29, 2019 at 0:51
  • 1
    Let's say both. How can I do it in both? Commented Oct 29, 2019 at 0:54
  • Why the downvote? Commented Oct 29, 2019 at 0:58
  • 2
    I didn't downvote. Probably someone came in and saw you didn't post a code sample? Commented Oct 29, 2019 at 0:59
  • didn't downvote either, but googling for "CSPRNG javascript" gives essentially the same information as you got here and would probably have been much quicker Commented Oct 29, 2019 at 13:45

1 Answer 1

Reset to default
9

In the browser, you can look into window.crypto.getRandomValues. See details here.

const array = new Uint32Array(10);
window.crypto.getRandomValues(array);

In node, take a peek at the crypto module.

const crypto = require('crypto');
crypto.randomBytes(20, (err, buffer) => {
  const token = buffer.toString('hex');
  console.log(token);
});

If you have browser support concerns, consider looking into an npm package like this one. Note: I've never used this one so I can't vouch for it.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

That package just uses the Node.js crypto module. browserify would work.
However, the MDN says this: "Don't use getRandomValues() to generate encryption keys. Instead, use the generateKey() method. There are a few reasons for this; for example, getRandomValues() is not guaranteed to be running in a secure context"... developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues
..."There is no minimum degree of entropy mandated by the Web Cryptography specification. User agents are instead urged to provide the best entropy they can when generating random numbers, using a well-defined, efficient pseudorandom number generator built into the user agent itself, but seeded with values taken from an external source of pseudorandom numbers, such as a platform-specific random number function, the Unix /dev/urandom device, or other source of random or pseudorandom data".

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.