SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 67

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 68

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Pseudorandom number generators (PRNGs) use deterministic mathematical algorithms to produce a sequence of numbers with good statistical properties, but the sequences of numbers produced are not genuinely randomfail to achieve true randomness. PRNGs usually start with an arithmetic seed value. The algorithm uses this seed to generate an output value and a new seed, which is used to generate the next value, and so on.

The Java API provides a PRNG, the java.util.Random class. This PRNG is portable and repeatable. Consequently, if two random instances instances of the java.util.Random class that are created using the same seed , they will generate identical sequences of numbers in all Java implementations. Sometimes the same seed is Seed values are often reused on application initialization or after every system reboot. At In other timescases, the seed is derived from the current time obtained from the system clock is used to derive the seed. An adversary can learn the value of the seed by performing some reconnaissance on the vulnerable target, and proceed to can then build a lookup table for estimating future seed values.

Consequently, it is forbidden to use the java.util.Random class either for security-critical applications or for protecting sensitive data. Use the java.security.SecureRandom class instead.

Noncompliant Code Example

If the same seed value is used, the same sequence of numbers is obtained; as a result, the numbers are not "random". This noncompliant code example uses the insecure java.util.Random class. This class produces an identical sequence of numbers for each given seed value; consequently, the sequence of numbers fails to achieve true randomness.

Code Block
bgColor#FFCCCC
import java.util.Random;
// ...

Random number = new Random(123L);
//...
for (int i = 0; i < 20; i++) {
  // Generate another random integer in the range [0, 20]
  int n = number.nextInt(21);
  System.out.println(n);
}

...

Compliant Solution
This compliant solution uses the java.security.SecureRandom class to produce high quality random numbers.
...
MSC02-EX1: Using a null seed value (as opposed to reusing it) may improve security marginally but should only be used for non-critical applications. Java's default seed uses the system's time in milliseconds. This exception is not recommended inapplicable for applications requiring high security (for instance, session IDs should be adequately random). When used, explicit documentation of this exception is encouraged.
...
For noncritical cases, such as adding some randomness to a game or unit testing, the use of class Random is acceptable. However, it is worth reiterating that the resulting low entropy random numbers are not insufficiently random enough to be used for more serious applications, such as cryptography.
MSC02-EX1: There are cases where predictable sequences of pseudo-random numbers are required, such as when running regression tests of program behavior. Use of the insecure java.util.Random class is permitted in such cases. However, security-related applications may invoke this exception only for testing purposes; it is inapplicable in a production context.
Risk Assessment
Predictable random number sequences can weaken the security of critical applications such as cryptography.
 Guideline 
 Severity 
 Likelihood 
 Remediation Cost 
 Priority 
 Level 
 MSC02-J 
 high 
 probable 
 medium 
 P12 
L1
...
TODO
Related Vulnerabilities
CVE-2006-6969
...
 Wiki Markup
\[[API 2006|https://www.securecoding.cert.org/confluence/display/java/AA.+Java+References#AA.JavaReferences-API06]\]&nbsp;[Class Random|http://java.sun.com/javase/6/docs/api/java/util/Random.html]
\[[API 2006|https://www.securecoding.cert.org/confluence/display/java/AA.+Java+References#AA.JavaReferences-API06]\] [Class SecureRandom|http://java.sun.com/javase/6/docs/api/java/security/SecureRandom.html]
\[[Find Bugs 2008|https://www.securecoding.cert.org/confluence/display/java/AA.+Java+References#AA.JavaReferences-FindBugs08]\] BC: Random objects created and used only once
\[[Monsch 2006|AA. Bibliography#Monsch 06]\]
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 330|http://cwe.mitre.org/data/definitions/330.html] "Use of Insufficiently Random Values", [CWE ID 327 |http://cwe.mitre.org/data/definitions/327.html], "Use of a Broken or Risky Cryptographic Algorithm," [CWE ID 330|http://cwe.mitre.org/data/definitions/330.html], "Use of Insufficiently Random Values", [CWE ID 333| http://cwe.mitre.org/data/definitions/333.html] "Failure to Handle Insufficient Entropy in TRNG", [CWE ID 332|http://cwe.mitre.org/data/definitions/332.html] "Insufficient Entropy in PRNG", [CWE ID 337|http://cwe.mitre.org/data/definitions/337.html] "Predictable Seed in PRNG", [CWE ID 336|http://cwe.mitre.org/data/definitions/336.html] "Same Seed in PRNG"
\[[Monsch 2006|AA. Bibliography#Monsch 06]\]
...
MSC01-J. Do not use insecure or weak cryptographic algorithms      49. Miscellaneous (MSC)      MSC03-J. Never hardcode sensitive information