Page History

...

Compliant Solution (Windows)

Wiki MarkupOn Windows platforms, the [{{CryptGenRandom()}}|http://msdn2.microsoft.com/en-us/library/aa379942.aspx] function can be used to generate cryptographically strong random numbers. Note that the exact details of the implementation are unknown, including, for example, what source of entropy {{CryptGenRandom()}} uses. From the Microsoft Developer Network {{CryptGenRandom()}} reference \[ [MSDN|AA. Bibliography#MSDN]\]

...

If an application has access to a good random source, it can fill the {{pbBuffer}} buffer with some random data before calling {{CryptGenRandom()}}. The CSP \ [cryptographic service provider\] then uses this data to further randomize its internal seed. It is acceptable to omit the step of initializing the {{pbBuffer}} buffer before calling {{CryptGenRandom()}}.

Code Block

bgColor	#ccccff
lang	c

#include<Wincrypt.h>

HCRYPTPROV hCryptProv;
union {
    BYTE bs[sizeof(long int)];
    long int li;
} rand_buf;

if (!CryptGenRandom(hCryptProv, sizeof(rand_buf), &rand_buf) {
    /* Handle error */
} else {
    printf("Random number: %ld\n", rand_buf.li);
}

...

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
MSC30-C	medium	unlikely	low	P6	L2

Automated Detection

Tool

Version

Checker

Description

Section
LDRA tool suite

Include Page

	c:LDRA_Vc:
	LDRA_V

Section
Fortify SCA

Section
V. 5.0

Section
Compass/ROSE

Section
ECLAIR

Include Page

	c:ECLAIR_Vc:
	ECLAIR_V

Section
stlibuse

Section
Fully Implemented

...

MITRE CWE: CWE-330, "Use of Insufficiently Random Values"

Bibliography

Wiki Markup\[[MSDN|AA. Bibliography#MSDN] \] "[CryptGenRandom Function|http://msdn.microsoft.com/en-us/library/aa379942.aspx]"

...

49. Miscellaneous (MSC) MSC31-C. Ensure that return values are compared against the proper type

Space shortcuts

Page tree

Versions Compared

Old Version 73

New Version 74

Key

Compliant Solution (Windows)

Automated Detection

Bibliography