It is widely known John von Neumann's quote:
"Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin."
Pseudorandom number generators (PRNGs) use deterministic mathematical algorithms algorithms to produce a sequence of numbers with good statistical properties. However, but the sequences of numbers produced are not genuinely randomfail to achieve true randomness. PRNGs usually start with an arithmetic seed value. The algorithm uses this seed in order to generate an output value and a new seed as well , which is going to be used to generate the next value, and so on.
The Java API provides a PRNG, the java.util.Random
class. This PRNG built is portable and repeatable. As a consequence of thatConsequently, if two Random instances instances of the java.util.Random
class that are created using the same seed , they will generate identical sequences of numbers in all Java implementations. Seed values are often reused on application initialization or after every system reboot. In other cases, the seed is derived from the current time obtained from the system clock. An attacker can learn the value of the seed by performing some reconnaissance on the vulnerable target and can then build a lookup table for estimating future seed values.
Consequently, the java.util.Random
class must not be used either for security-critical applications or for protecting sensitive data. Use a more secure random number generator, such as the java.security.SecureRandom
class.
Noncompliant Code Example
In case you use the same seed value, you will always get the same sequence of numbers, thus they will not be so "random" onesThis noncompliant code example uses the insecure java.util.Random
class. This class produces an identical sequence of numbers for each given seed value; consequently, the sequence of numbers is predictable.
Code Block | ||
---|---|---|
| ||
import java.util.Random; // ... Random number = new Random(123L); //... for (int i = 0; i<20i < 20; i++) { // generateGenerate another random integer in the range [0, 20] int n = number.nextInt(21); System.out.println(n); } |
Noncompliant Code Example
Compliant Solution
This compliant solution uses the java.security.SecureRandom
class to produce high-quality random numbers: Using a null seed value may prevent such problems. Java's default seed uses system's time in milliseconds. However, you should neither use two different generators with a null seed value nor "resetting" generator's instance more than once (using new Random() multiple times) as you may get identical numbers in the former case and number not actually random in the latter one.
Code Block | |||
---|---|---|---|
| |||
import java.security.SecureRandom; import java.utilsecurity.RandomNoSuchAlgorithmException; // ... Randompublic static void main (String args[]) { SecureRandom number = new RandomSecureRandom(); // Generate 20 integers 0...20 for (int i = 0; i i<20< 20; i++) { // re-seed generator number = new Random(); // generate another random integer in the range [0,20] int n = number.nextInt(21); System.out.println(n); } |
For non-critical cases, e.g. adding some randomness to a game, Random class is considered fine. However, it is not random enough to be used by more serious applications, e.g. cryptography.
Compliant Solution
This compliant solution uses java.security.SecureRandom class in order to produce high quality random numbers.
{
System.out.println(number.nextInt(21));
}
}
|
Compliant Solution (Java 8)
This compliant solution uses the SecureRandom.getInstanceStrong()
method, introduced in Java 8, to use a strong RNG algorithm, if one is available.
Code Block | ||
---|---|---|
| ||
import java.security.SecureRandom;
import java.security.NoSuchAlgorithmException;
// ...
public static void main (String args[]) {
try {
SecureRandom number = SecureRandom.getInstanceStrong();
// Generate 20 integers 0..20
for (int i = 0; i < 20; i++) {
System.out.println(number.nextInt(21));
}
} catch (NoSuchAlgorithmException nsae) {
// Forward to handler
}
} |
Exceptions
MSC02-J-EX0: Using the default constructor for java.util.Random
applies a seed value that is "very likely to be distinct from any other invocation of this constructor" [API 2014] and may improve security marginally. As a result, it may be used only for noncritical applications operating on nonsensitive data. Java's default seed uses the system's time in milliseconds. When used, explicit documentation of this exception is required.
Code Block | ||
---|---|---|
| ||
import java.util.Random | ||
Code Block | ||
| ||
import java.security.SecureRandom; // ... staticRandom SecureRandom number = SecureRandom.getInstancenew Random("SHA-1"); // ... // generate 20 integers 0..20Used only for demo purposes int n; //... for (int i = 0; i<20i < 20; i++) { System.out.println( { // Reseed generator number = new Random(); // Generate another random integer in the range [0, 20] n = number.nextInt(21); System.out.println(n); } |
Risk Assessment
TODO
For noncritical cases, such as adding some randomness to a game or unit testing, the use of class Random
is acceptable. However, it is worth reiterating that the resulting low-entropy random numbers are insufficiently random to be used for more security-critical applications, such as cryptography.
MSC02-J-EX1: Predictable sequences of pseudorandom numbers are required in some cases, such as when running regression tests of program behavior. Use of the insecure java.util.Random
class is permitted in such cases. However, security-related applications may invoke this exception only for testing purposes; this exception may not be applied in a production context.
Risk Assessment
Predictable random number sequences can weaken the security of critical applications such as cryptography.
Rule |
---|
Severity | Likelihood | Remediation Cost | Priority | Level |
---|
MSC02-J | High | Probable | Medium | P12 | L1 |
Automated Detection
...
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
...
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| JAVA.HARDCODED.SEED | Hardcoded Random Seed (Java) | ||||||
Coverity | 7.5 | RISKY_CRYPTO | Implemented | ||||||
Parasoft Jtest |
| CRT.MSC02.SRD | Use 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()' | ||||||
SonarQube |
| S2245 |
Related Vulnerabilities
CVE-2006-6969 describes a vulnerability that enables attackers to guess session identifiers, bypass authentication requirements, and conduct cross-site request forgery attacks.
Related Guidelines
...
CWE-327, Use of a Broken or Risky Cryptographic Algorithm CWE-330, Use of Insufficiently Random Values CWE-332, Insufficient Entropy in PRNG CWE-336, Same Seed in PRNG CWE-337, Predictable Seed in PRNG |
Bibliography
...
References
TODO