Editing Random number generator attack (section)

===Software RNGs===
Just as with other components of a cryptosystem, a software random number generator should be designed to resist certain attacks. Some attacks possible on a RNG include (from<ref>
{{cite web
|last=Kelsey
|first=J.
|title=Cryptanalytic Attacks on Pseudorandom Number Generators
|url=https://www.schneier.com/paper-prngs.html
|work=Fast Software Encryption, Fifth International Workshop Proceedings
|publisher=Springer-Verlag
|accessdate=15 August 2013
|author2=B. Schneier |author3=D. Wagner |author4= C. Hall 
|pages=168–188
|year=1998}}
</ref>):

; Direct cryptanalytic attack: when an attacker obtained part of the stream of random bits and can use this to distinguish the RNG output from a truly random stream.
; Input-based attacks: modify the input to the RNG to attack it, for example by "flushing" existing entropy out of the system and put it into a known state.
; State compromise extension attacks: when the internal secret state of the RNG is known at some time, use this to predict future output or to recover previous outputs. This can happen when a generator starts up and has little or no entropy (especially if the computer has just been booted and followed a very standard sequence of operations), so an attacker may be able to obtain an initial guess at the state.