...
The C Standard rand() function makes no guarantees as to the quality of the random sequence produced. The numbers generated by some implementations of rand() have a comparatively short cycle, and the numbers can be predictable. Applications that have strong pseudorandom number requirements should must use a generator that is known to be sufficient for their needs.
Noncompliant Code Example
The following noncompliant code generates an ID with a numeric part produced by calling the rand() function. The IDs produced are predictable and have limited randomness.
...
Compliant Solution (POSIX)
The POSIX random() function is a better pseudorandom number generator. Although the low dozen bits generated by rand() go through a cyclic pattern, all the bits generated by random() are usable.This complian solution replaces the rand() function with the POSIX random() function:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
enum { len = 12 };
void func(void) {
/*
* id will hold the ID, starting with the characters
* "ID" followed by a random integer.
*/
char id[len];
int r;
int num;
/* ... */
time_tstruct now = time(NULL)timespec ts;
if (nowtimespec_get(&ts, TIME_UTC) == (time_t)-1)0) {
/* Handle error */
}
srandom(nowts.tv_nsec ^ ts.tv_sec); /* Seed the PRNG with the current time */
/* ... */
r = random(); /* Generate a random integer */
num = snprintf(id, len, "ID%-d", r); /* Generate the ID */
/* ... */
} |
The POSIX random() function is a better pseudorandom number generator. Although on some platforms the low dozen bits generated by rand() go through a cyclic pattern, all the bits generated by random() are usable. The rand48 family of functions provides another alternative for pseudorandom numbers.
Although not specified by POSIX, arc4random() is an option on another possibility for systems that support it. From the The arc4random(3) manual page [OpenBSD] states:
arc4random()fits into a middle ground not covered by other subsystems such as the strong, slow, and resource expensive random devices described inrandom(4)versus the fast but poor quality interfaces described inrand(3),random(3), anddrand48(3).
To achieve the best random numbers possible, an implementation-specific function must be used. When unpredictability really matters is crucial and speed is not an issue, as in the creation of strong cryptographic keys, use a true entropy source, such as /dev/random, or a hardware device capable of generating random numbers. Note that the /dev/random device can block for a long time if there are not enough events going on to generate sufficient entropy.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <Windows.h>
#include <wincrypt.h>
#include <stdio.h>
void func(void) {
HCRYPTPROV prov;
if (CryptAcquireContext(&prov, NULL, NULL,
PROV_RSA_FULL, 0)) {
long int li = 0;
if (CryptGenRandom(prov, sizeof(li), (BYTE *)&li)) {
printf("Random number: %ld\n", li);
} else {
/* Handle error */
}
if (!CryptReleaseContext(prov, 0);)) {
/* Handle error */
}
} else {
/* Handle error */
}
} |
Risk Assessment
The use of the rand() function may can result in predictable random numbers.
...
| CERT C++ Secure Coding Standard | MSC30-CPP. Do not use the rand() function for generating pseudorandom numbers |
| CERT Oracle Secure Coding Standard for Java | MSC02-J. Generate strong random numbers |
| MITRE CWE | CWE-327, Use of a broken or risky cryptographic algorithmBroken or Risky Cryptographic Algorithm CWE-330, Use of insufficiently random valuesInsufficiently Random Values |
Bibliography
...