NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0390:  Cryptographically Secure RNG

Publication Date

Protection Profiles

Other References

Issue Description

TD0172 makes reference to System.Random which is not a cryptographically secure method for generating random numbers for Windows platforms. The PP itself also references the Namespace System.Random that is documented by Microsoft for the .NET frameworks. 


This TD replaces TD0172.

In FCS_RBG_EXT.1, the Assurance Activity for Windows shall be updated as follows:

For Windows:

The evaluator shall verify that rand_s, RtlGenRandom, BCryptGenRandom, or CryptGenRandom API is used for classic desktop applications. The evaluator shall verify that the System.Random API RNGCryptoServiceProvider class or a class derived from System.Security.Cryptography.RandomNumberGenerator is used for Windows Universal Applications. It is only required that the API is called/invoked, there is no requirement that the API be used directly. In future versions of this document, CryptGenRandom may be removed as an option as it is no longer the preferred API per vendor documentation.


The Remarks section of the Microsoft document  at contains recommendations for generation of cryptographically secure random numbers.

Site Map              Contact Us              Home