Cryptographically Secure Pseudo-Random Number Generator in Qt/C++ (Cross platform)

Question

I am developing a secure application that manages sensitive data, so I need some sort of secure login mechanism. I'm using the Qt Libraries (C++ version), and so far I can't find a function that offers this [Cryptographically Secure Pseudo-Random Number Generator] to get a Salt when the user creates an account from my application. I am aware of how one should go about storing passwords in a database, and it seems that a CSPRNG is a must when making a new salt. I looked and looked for a long time trying to find a way to do this in Qt, but I've just about reached the conclusion that there isn't a way to do this in Qt alone. Rather, is there at least a cross platform, C++ approach to doing this? I'm okay with including a library, but I'd prefer it to be LGPL so if I choose to develop a proprietary/closed-source application in the future, I can still use the same method(s). Some additional information is that I'll mo t likely be using SQL (MSSQL Express servers) for now, so I'm adding the SQL Tag. I'm probably going to be using QSslSocket as well (for encryption between client/server) if that helps. If you could shed some light not this, I'd be most grateful!

Answer 1

If you think you need a cryptographically secure PRNG for generating salts then I must tell you that you do not understand what the salt is and how and why it works and against which kinds of attacks it is useful.

The simple fact that the salt must be stored in plaintext alongside the hash of the salted password should have given away that you do not really need a cryptographically secure PRNG for salt - or any PRNG for that matter. Frankly, you could have a simple 64-bit number, which you increase by one every time you need a new salt and it would be just as secure as a salt generated by a cryptographically secure PRNG.

Answer 2

The crypto library in OpenSSL has rand functions that "implement a cryptographically secure pseudo-random number generator (PRNG)."

OpenSSL has been around for over 10 years and is still being actively developed.

Here is the OpenSSL license.