...
The C Standard function rand() (available in stdlib.h) does not have good random number properties. The numbers generated by rand() have a comparatively short cycle, and the numbers may can be predictable.
Noncompliant Code Example
...
To achieve the best random numbers possible, an implementation-specific function must be used. When unpredictability really matters and speed is not an issue, as in the creation of strong cryptographic keys, use a true entropy source, such as /dev/random or a hardware device capable of generating random numbers. Note that the /dev/random device may can block for a long time if there are not enough events going on to generate sufficient entropy.
...
| Wiki Markup |
|---|
On Windows platforms, the [{{CryptGenRandom()}}|http://msdn2.microsoft.com/en-us/library/aa379942.aspx] function maycan be used to generate cryptographically strong random numbers. Note that the exact details of the implementation are unknown, including, for example, what source of entropy {{CryptGenRandom()}} uses. From the Microsoft Developer Network {{CryptGenRandom()}} reference \[[MSDN|AA. Bibliography#MSDN]\] |
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C++ Secure Coding Standard: MSC30-CPP. Do not use the rand() function for generating pseudorandom numbers
Java The CERT Oracle Secure Coding Standard for Java: MSC02-J. Generate strong random numbers
...
Wiki Markup
MITRE CWE: CWE-327, "Use of a Broken or Risky Cryptographic Algorithm"
MITRE CWE: CWE-330, "Use of Insufficiently Random Values"
Bibliography
| Wiki Markup |
|---|
\[[MITRE 2007|AA. Bibliography#MITRE 07]\] [CWE ID 327|http://cwe.mitre.org/data/definitions/327.html], "Use of a Broken or Risky Cryptographic Algorithm," [CWE ID 330|http://cwe.mitre.org/data/definitions/330.html], "Use of Insufficiently Random Values"
\[[MSDN|AA. Bibliography#MSDN]\] "[CryptGenRandom Function|http://msdn.microsoft.com/en-us/library/aa379942.aspx]" |
...