I've been trying to write a simple helper method in C# that generates a cryptographically-secure random string with any given length and character set. I know that you shouldn't use the Random class if you want cryptographic security. In the past, the RNGCryptoServiceProvider class would always be suggested as an alternative to Random to provide cryptographic safety. That class is now obselete and RandomNumberGenerator is supposed to be used instead.
Now, what I'm confused about is that many answers in this famous question that are using the new RandomNumberGenerator class — such as this one — are using the GetBytes() method, and then doing lots of other stuff afterwards to make things work; but I don't understand why they're not using GetInt32() instead? It seems like that would make this much simpler.
This is what I'm talking about:
public string GenerateRandomString(int length, string charSet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
{
char[] result = new char[length];
for (int i = 0; i < length; i++)
result[i] = charSet[RandomNumberGenerator.GetInt32(charSet.Length)];
return new string(result);
}
My question is this: Is this way of generating random strings cryptographically sound or not? The fact I never saw this being done makes me uncertain, which is why I'm asking this question. And if it isn't, could you please explain why?
Thank you.
Aucun commentaire:
Enregistrer un commentaire