Generating Keys, Nonces & IVs Safely
Use secrets, os.urandom, and safe wrappers in Python and Node.
The Three Categories
Three distinct cryptographic values need secure generation: (1) Keys — long-lived, must be unpredictable and secret. (2) IVs — per-message, may be public but must be unpredictable (CBC) or unique (GCM). (3) Nonces — must be unique per use, may or may not be random.
Symmetric Keys
AES-128: secrets.token_bytes(16). AES-256: secrets.token_bytes(32). ChaCha20: secrets.token_bytes(32). Never derive keys from passwords without KDF (PBKDF2/Argon2). Never reuse keys across different algorithms or purposes.
All lessons in this course
- True Randomness vs Pseudorandomness
- Cryptographically Secure PRNGs
- Entropy Starvation & Weak-Key Bugs
- Generating Keys, Nonces & IVs Safely