Page History

...

Although not specified by POSIX, arc4random() is an option on systems that support it. From the arc4random(3) manual page:

arc4random() fits into a middle ground not covered by other subsystems such as the strong, slow, and resource expensive random devices described in random(4) versus the fast but poor quality interfaces described in rand(3), random(3), and drand48(3).

...

On Windows platforms, the CryptGenRandom() function can be used to generate cryptographically strong random numbers. Note that the exact details of the implementation are unknown, including, for example, what source of entropy CryptGenRandom() uses. From the Microsoft Developer Network CryptGenRandom() reference [MSDN]:

If an application has access to a good random source, it can fill the pbBuffer buffer with some random data before calling CryptGenRandom(). The CSP [cryptographic service provider] then uses this data to further randomize its internal seed. It is acceptable to omit the step of initializing the pbBuffer buffer before calling CryptGenRandom().

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

The CERT Oracle Secure Coding Standard for Java: MSC02-J. Generate strong random numbers

ISO/IEC 9899:1999 Section 2011 Section 7.2022.2.1, "The rand function"

MITRE CWE: CWE-327, "Use of a Broken or Risky Cryptographic Algorithmbroken or risky cryptographic algorithm"

MITRE CWE: CWE-330, "Use of Insufficiently Random Valuesinsufficiently random values"

...

Sources

[MSDN] "CryptGenRandom Function"

...