RandomNumberGenerator对RNGCryptoServiceProvider [英] RandomNumberGenerator vs RNGCryptoServiceProvider

问题描述

根据MSDN文档 RandomNumberGenerator ：

应用程序代码不直接使用此类。这个抽象类是作为所有加密随机数生成器的基类提供的。

Application code does not directly use this class. This abstract class is provided as the base class for all cryptographic random number generators.

对于加密随机数生成器的实现，使用派生类RNGCryptoServiceProvider。

For an implementation of a cryptographic random number generator, use the derived class RNGCryptoServiceProvider.

但是，我已经看到以下代码在不同代码库的几个场合使用：

However, I have seen the following code used on a few occassions in different code bases:

byte[] bytes = new byte[...];
RandomNumberGenerator rng = RandomNumberGenerator.Create();
rng.GetBytes(bytes);

最着名的是 StackExchange （我假设包括SO）以及 BCrypt.Net 。

Most notably with StackExchange (which I assume includes SO) and also with BCrypt.Net.

因此，我有点困惑 - 什么类型的 RandomNumberGenerator 是上述代码返回？还有一点缺点，一些代码库是使用 RandomNumberGenerator 而不是 RNGCryptoServiceProvider ？

Therefore, I am a little confused - what type of RandomNumberGenerator is the above code returning? Also is it a bit of a flaw that some code bases are using RandomNumberGenerator rather than RNGCryptoServiceProvider?

我假设 RandomNumberGenerator.Create（）正在做引擎盖下，我完全不在这里，因为它是一个抽象类）不应该上面的代码抛出一个错误？

I assume RandomNumberGenerator.Create() is doing under the hood which I am completely missing here, but technically (as it's an abstract class) shouldn't the above code throw an error?

推荐答案

RandomNumberGenerator。 Create（）方法调用 RandomNumberGenerator.Create（System.Security.Cryptography.RandomNumberGenerator），最终将创建 RNGCryptoServiceProvider 。

The RandomNumberGenerator.Create() method calls RandomNumberGenerator.Create("System.Security.Cryptography.RandomNumberGenerator"), which will eventually create an instance of RNGCryptoServiceProvider.

（它在一对字典中执行一些查找，因此可能会更改该调用的becaviour通过在某个地方注册默认的随机生成器。）

(It does some lookups in a pair of dictionaries, so it's likely that you can change the becaviour of that call by registering a default random generator somewhere.)

返回的对象的实际类型在编译时是未知的，它只知道它将继承 RandomNumberGenerator 类，因此您可以使用 RandomNumberGenerator 引用变量。

The actual type of the object returned is not known at compile time, it's only known that it will inherit the RandomNumberGenerator class, so you can use a RandomNumberGenerator reference variable for it.

这种根据输入创建不同类型实例的方式在框架中的几个地方使用，例如通过 WebRequest.Create 方法。

This way of creating different types of instances depending on the input is used in a couple of places in the framework, for example by the WebRequest.Create method.

Micrsoft的某个用户已经修正了 Create（）方法。现在说：

Someone at Micrsoft has "fixed" the current documentation (framework 4.5) for the Create() method. It now says:

当在派生类中重写时，创建
默认实现的加密随机数的实例生成器
可用于生成随机数据。

"When overridden in a derived class, creates an instance of the default implementation of a cryptographic random number generator that can be used to generate random data."

框架4.0的文档说：

创建加密的默认实现的实例
可用于生成随机数据的随机数生成器。

"Creates an instance of the default implementation of a cryptographic random number generator that can be used to generate random data."

这是方法的正确描述。我会提出一个请求，把这个描述放回新的文档。

This is the correct description of what the method does. I will put in a request to put that description back in the newer documentation.

这篇关于RandomNumberGenerator对RNGCryptoServiceProvider的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！