Skip to content

Insecure Randomness

What does this mean ?

When a function that can provide predictable values is utilized as a source of randomness in a security-sensitive situation, insecure randomness mistakes arise. Standard pseudo-random number generators are vulnerable to cryptographic attacks.

What can happen ?

Using a cryptographically weak pseudo-random number generator to create a security-sensitive value, such as a password, allows an attacker to anticipate the result more easily.

Recommendation

  • Use a well-vetted method that experts in the area currently regard to be strong and select well-tested implementations with suitable length seeds.

Sample Code

Vulnerable :

using System;

class ExampleClass
{
    public void ExampleMethod(Random random)
    {
        var sensitiveVariable = random.Next();
    }
}

Non Vulnerable :

using System;
using System.Security.Cryptography;

class ExampleClass
{
    public void ExampleMethod(RandomNumberGenerator randomNumberGenerator, int toExclusive)
    {
        var sensitiveVariable = randomNumberGenerator.GetInt32(toExclusive);
    }
}

Vulnerable :

Import java.util.Random
public static int generateRandomInt(int upperRange)
{
  Random random = new Random();
  return random.nextInt(upperRange);
}

Non Vulnerable :

Import java.security.SecureRandom
public static int generateRandom(int maximumValue)
{
  SecureRandom ranGen = new SecureRandom();
  return ranGen.nextInt(maximumValue);
}

Vulnerable :

$random = rand();
$random2 = mt_rand(0, 99);

Non Vulnerable :

$randomInt = random_int(0,99); // Compliant; generates a cryptographically secure random integer

References