Cryptography for beginners: random number generators and symmetric encryption

Alex Alex 27 December 2019
Cryptography for beginners: random number generators and symmetric encryption

computers are, ultimately, calculating machines, therefore, you work deterministically. If, however, chance plays a large role in the cryptography, how can this be reconciled?

In the first part of this series was mentioned in connection with the One-Time Pad (OTP), how important is the Use of random or random number, to avoid recurring patterns. This can occur in, the encryption quickly, as at least the text messages are written in natural languages, the per-se special characteristics and patterns. This is to crack it open.

< / h3>series of articles the
  • part 1: the basics: What is Caesar? says
  • the
  • part 2: random number generators and symmetric encryption
  • the
  • part 3: Hashes and passwords
  • the
  • part 4: Asymmetric encryption
  • the
  • part 5: certificates, HTTPS, and co.

In view of the enormous computing power available today, even in mobile phones available, makes you wonder how hard it can be to generate a few random numbers. This task should, however, in the 21st century. Century to solve a relatively easy – most of the people think. How difficult this is actually, you realize, if you try even once by Hand, a random series of zeros and ones to write down. In the Following, the attempt of the author, caused by a spontaneous tap without a second Thought:


if we Analyze this number, we see that neither the one nor the other clause occurs more than two Times in a row – and even that is rare. In fact, the two numbers change Substantially with regularity. In a true random series longer sequences would have to be included, in the extreme case, you could even look like this:


Purely statistically, this series is not more likely or less likely than the previous one. To a people but planned and systematic.

the the
Milecia McGregor
< / h3>How Going Serverless Changed our DevOps Operations

Milecia McGregor (Flipped Coding)

API Conference
Milecia McGregor
< / h3>Mistakes to avoid while building API Products

Rahul Dighe (PayPal)

Sheen Brisals
< / h3>Modularizing your API with Domain Storytelling

Henning Schwentner (WPS – Workplace Solutions)

The lack of irregularity in the supposedly randomly generated results by the measure of entropy describe, indicating how unstructured Text is. Allied to this is the redundancy, which describes virtually the opposite of entropy: A real-random Text has a redundancy of 0, in natural-language texts you a

A random function to build

Now it was left in the cryptography, the generation of random numbers is rarely a human, but used the funds of the respective programming language. Virtually every language has suitable features, such as, for example, Math.random in JavaScript. So why not these features?

in fact, what to supply these functions is not a real random, but so-called pseudo-random. Because computers, as already mentioned, deterministic computing machine, you can create, by Definition, not random – otherwise you would be deterministic. Instead, the random number for Pseudo on mathematical functions not seized, are so complex that their results will look random, even if they are, strictly speaking,.

A simple example of the function in Listing 1.

const getrandom number = function (seed) {
const randomNumber = (seed * 7) % 11;

return randomNumber;

if you Call this function and initializes it with the value 1, is obtained in the first step, as a result, the number of 7. Using this result as starting value for the next Iteration, you get 5. Then you get 2, 3, and so on. The Modulo Division that is performed by % 11, causes that the results are all between 0 and 10. It generates numbers now ten chance, with this function the following row:

7 5 2 3 10 4 6 9 8 1

As you can see, is not elected, this series is not bad. Each number between 1 and 10 exactly once, that is, the Numbers are in principle evenly distributed. In addition, an increase in the Figures in part, and in part they fall. Some of the Numbers are close together (such as the 9 and 8), others, however, are far from each other (like the 3 and 10). All in all, this simple function so it is already a good first impression.

now, What happens if you need more than numbers to ten by chance? Unfortunately, it is foreseeable what will happen: As the 1 is the tenth result will be calculated as the eleventh value is the number of 7. From the eleventh (presumed) random number the results repeat themselves so. One speaks in this case, assume that the given random function has a Periodität of 10. The initial Select a different start value changes not really something, because the moves are only the beginning of the series, but not their Periodität.

what is striking is that the Periodität corresponds exactly to the area that the individual results are limited by the Modulo-Division. It is obvious, therefore, that one could zoom in on the Periodität and the function to improve, by choosing a larger value for the Modulo-Division, for example, 101. Then the following Numbers for the first hundred calls are:

7 49 40 78 41 85 90 24 67 65 51 54 75
20 39 71 93 45 12 84 83 76 27 88 10 70
86 97 73 6 42 92 38 64 44 5 35 43 99 87
3 21 46 19 32 22 53 68 72 100 94 52 61
23 60 16 11 77 34 36 50 47 26 81 62 30
8 56 89 17 18 25 74 13 91 31 15 4 28 95
59 9 63 37 57 96 66 58 2 14 98 80 55 82
69 79 48 33 29 1

As you can see, the previously mentioned positive aspects, as before, only the range of Numbers has increased. However, the larger the Divisor, the value range is greater, which is probably undesirable. To avoid separating the calculation of the next random number from the calculation of the next initial value, While the second one on the now well-known route is calculated, the result is the random number, by % 10 assigned to the new initial value, in turn, to get a smaller value range. This is the result Code shown in Listing 2.

const getrandom number = function (seed) {
const nextSeed = (seed * 7) % 101;
const randomNumber = nextSeed % 11;

return { randomNumber, seed: nextSeed };

it Performs this function well a hundred Times, you get the following Numbers:

7 5 7 1 8 8 2 2 1 10 7 10 9 9 6 5 5 1 1
7 6 10 5 0 10 4 9 9 7 6 9 4 5 9 0 5 2 10
0 10 3 10 2 8 10 0 9 2 6 1 6 8 6 1 5 5 0
0 1 3 6 3 4 4 7 8 8 1 1 6 7 3 8 2 3 9 4
4 6 7 4 9 8 4 2 8 0 3 2 3 10 3 0 5 3 2 4
0 7 1

Now the result is very good: All the Numbers between 0 and 10 are taken, the positive aspects have been retained, and occasionally Figures appear even multiple times in a row. And, finally, Only after a hundred random series of numbers repeated. Now you are in place of, 101 a larger Divisor increases the Periodität more.

in Spite of this good result should not be used in the practice, an own implementation of a random number to letter function. There are sufficiently good, already pre-defined Algorithms.

finally, there remains the question as to why the Numbers 7, 11 and 101 were selected. Would it work with other Numbers as well? The answer is simple: in Principle, the approach also works with other Numbers, but you should choose the Numbers so that there are Prime numbers. Otherwise, you do not makes use of the full range of potential outcomes, and earnings unnecessarily.

Real random use

Even if you can achieve the way shown good results for pseudo-random, the results are not good enough to be cryptographic requirements. There is actually a real coincidence is required, or at least something that comes real coincidence as close as possible. The name is a cryptographically secure random. Also there are in computers, where a different approach is resorted to.

to calculate

, Instead of random numbers, they are determined on the basis of physical effects, for example, by temperature fluctuations of the processor, the measurement inaccuracies of the Sensors and of similar values or not (you can't if at all) only under laboratory conditions, forecasts. All major operating systems to provide appropriate interfaces to such values, which can be used by programming languages then.

In Node.js serves the function of a random bytes from the module crypto that specifies the desired number of randomly generated Bytes, and a Callback (Listing 3). Alternatively, the function can be called synchronously, that is without Callback, but it then blocks further execution of the program, which is why the asynchronous variant

const crypto = require('crypto');

crypto.randomBytes(256, (err, buffer) => {
if (err) {
console.log('Failed to get random bytes.');


you use this program, you get the output of the Bytes generated in the Form of hexadecimal Codes, similar to the excerpt in Listing 4.


Depending on the application, you have to convert the Buffer of course, in the desired data format, but that is just a pure hard work. A secure OTP is now ready to operate.

the key to use with AES

Nevertheless, remains the Problem, that you can use the key for the OTP only Once. The key exchange is very complicated, which is why, in practice, often other procedures as the OTP is used. Historically, the DES method (Data Encryption Standard), long in use, of the is now viewed as unsafe, as well as its variant 3DES.

Since the turn of the Millennium, there is AES, the Advanced Encryption Standard, a De facto Standard, which can be found almost everywhere. Unlike Caesar, Vigenère and OTP AES encrypted, not one character at a time, but whole blocks of characters. Therefore, AES is a block cipher. The common block lengths are 128 Bit, 192 Bit and 256 Bit, wherein in each case a suitable key is required. Depending on the length of the block, they are referred to as AES-128, AES-192, or AES-256.

The basic process works in such a way that each Block is first decomposed into individual components. A table with four rows, but depending on the block size will be created a different number of columns: In the case of 128 Bits, there are four columns, 192-Bit, six -, and 256-Bit eight columns. Subsequently, the individual cells of this table are encrypted multiple times and reversed to be used, wherein each of the different areas of the key. How many iterations are performed, depends on the chosen block length: 128 Bit ten rounds to be run through, for 192 Bit twelve rounds and for 256 Bit four of the ten rounds.

In addition, there are various modes of operation for AES. The simplest is the ECB mode (Electronic Code Book), where each Block is individually encrypted. This goes hand in hand with a certain degree of uncertainty, since a plurality of identical blocks will be identically encrypted: So, you have those patterns and repetitions in the encrypted text that was to be avoided, actually. Therefore, the ECB is considered to be a mode in General, as unsafe, and should not be used.

much better it is with the CBC mode (Cipher Block Chaining), in which the encryption of each block is also the result of the encryption of its predecessor, is incorporated. Because of this, in turn, was influenced by his predecessor, will be encrypted-like blocks is always different, because you have sort of a different history. In principle, the procedure is similar to the Git or that of the Blockchain are drawn, where each digital fingerprint of an information unit information of the previous Rate.

However, this raises a Problem: For the first Block, there is no predecessor. Therefore, it relies on an initialization vector (IV). This is an artificially generated zeroth Block that is simply filled with random data. Thus, it is avoided that two messages that begin the same, are identically encrypted. However, this works only if for each message, a separate IV is generated. Since the IV is needed to Decrypt, he / she must be also stored. However, he does not have to be encrypted, instead, it can be stored in plain text alongside the encrypted message.

In Node.js the module crypto to re-matching functions. Most important is the function createCipheriv, with the help of a Stream to Encrypt on the Basis of an IV is generated. Then the encrypted message can be written to this Stream. Since the Stream is a Transform Stream that receives the result by reading the encrypted data from the Stream again. Similarly, the function createDecipheriv produces a Stream that previously encrypted data can decrypt it.

A simple function to Encrypt a text could look like in Listing 5 is shown.

const encrypt = async function (text, password, iv) {
const cipher = crypto.createCipheriv('aes-256-cbc', password, iv);

cipher.write(text, { encoding: 'utf8' });

let encrypted = ";

for await (const chunk of cipher) {
encrypted += chunk.toString('hex');

return encrypted;

The password and the IV to be created, wherein, for AES-256 a password with 32 Bytes of length, and an IV with 16 Bytes in length are required. The decryption works, then the analog to (Listing 6).

const decrypt = async function (text, password, iv) {
const decipher = crypto.createDecipheriv('aes-256-cbc', password, iv);

decipher.write(text, { encoding: 'hex' });

let decrypted = ";

for await (const chunk of decipher) {
decrypted += chunk.toString('utf8');

return decrypted;

AES 256 Bit in CBC mode is currently the De-facto Standard, when data are to be encrypted. It is for the foreseeable future, it is sufficiently safe, so you can use it well in everyday life. Since it is also supported by almost all popular programming languages and platforms as a standard, and also has no problems with the interoperability and the data exchange of encrypted messages.

conclusion and Outlook

Although the OTP thus provides a mathematically proven to be absolutely secure encryption, the requirements and restrictions that it will work in everyday life would. Therefore, have established themselves in the course of time, various other encryption algorithms, of which the state of the art and nowadays, the most common AES. In the case of AES, make sure to select a sufficiently large block size (in the ideal case, 256 Bit) and especially the correct operation mode: The use of ECB is considered insecure, it is preferable to use here in any case, the CBC mode.

But even if you are now with AES is a good encryption, on the Hand, these are not all problems solved: The key exchange between the transmitter and the receiver is a Problem, and the pure encryption does not protect against Manipulation. Before we devote ourselves to the Problem of key exchange, it will, therefore, go in the next episode of this series, the first goal is to detect a Manipulation of data by prints with digital fingerprints and Codes provides.

is not Important in cryptography, therefore, only know what Algorithms there are and which can use all of them, but also to have knowledge about what kind of collateral which algorithm offers, so you can combine the appropriate modules to fit exactly.

the the


Comments (0)

    No comments yet

You must be logged in to comment.