SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 35

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user Jon O'Donnell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

John von Neumann's quote is widely known:

"Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin."

Pseudorandom number generators (PRNGs) use deterministic mathematical algorithms  algorithms to produce a sequence of numbers with good statistical properties. However, but the sequences of numbers produced are not genuinely randomfail to achieve true randomness. PRNGs usually start with an arithmetic seed value. The algorithm uses this seed in order to generate an output value and a new seed as well, which is used to generate the next value, and so on.

The Java API provides a PRNG, the java.util.Random class. This PRNG is portable and repeatable. As a consequence of thatConsequently, if two random instances instances of the java.util.Random class that are created using the same seed , they will generate identical sequences of numbers in all Java implementations. Sometimes the same seed is reused upon Seed values are often reused on application initialization or after every system reboot. At In other timescases, the seed is derived from the current time obtained from the system clock is used to derive the seed. An adversary attacker can learn the value of the seed by performing some reconnaissance on the remote server and proceed to vulnerable target and can then build a lookup table for estimating future seed values.

Consequently, the java.util.Random class must not be used either for security-critical applications or for protecting sensitive data. Use a more secure random number generator, such as the java.security.SecureRandom class.

Noncompliant Code Example

If you use the same seed value, you will always get the same sequence of numbers; thus they will not be "random"This noncompliant code example uses the insecure java.util.Random class. This class produces an identical sequence of numbers for each given seed value; consequently, the sequence of numbers is predictable.

Code Block
bgColor#FFCCCC

import java.util.Random;
// ...

Random number = new Random(123L);
//...
for (int i = 0; i<20i < 20; i++)
 {
   // generateGenerate another random integer in the range [0, 20]
   int n = number.nextInt(21);
   System.out.println(n);
}

...

Compliant Solution
This compliant solution uses the java.security.SecureRandom class in order to produce high-quality random numbers.:
 Code Block
bgColor#ccccff

import java.security.SecureRandom;
import java.security.NoSuchAlgorithmException;
// ...

public static void main (String args[]) {
  SecureRandom number = new SecureRandom();
  // Generate 20 integers 0..20
  for (int i = 0; i < 20; i++) {
    System.out.println(number.nextInt(21));
  }
}

Compliant Solution (Java 8)
This compliant solution uses the SecureRandom.getInstanceStrong() method, introduced in Java 8, to use a strong RNG algorithm, if one is available.
 Code Block
bgColor#ccccff
import java.security.SecureRandom;
import java.security.NoSuchAlgorithmException;
// ...

public static void main (String args[]) {
   try {
  try
   {
      SecureRandom number = SecureRandom.getInstance getInstanceStrong("SHA1PRNG");
      // generateGenerate 20 integers 0..20
      for (int i = 0; i<20i < 20; i++) {
         System.out.println(number.nextInt(21));
      }
   }
   catch (NoSuchAlgorithmException nsae) { 
     /* handle */// Forward to handler
   }
}

Exceptions
MSC30MSC02-J-EX1EX0: Using a null seed value (as opposed to reusing it) may improve security marginally but should only be used for non-critical applicationsthe default constructor for java.util.Random applies a seed value that is "very likely to be distinct from any other invocation of this constructor" [API 2014] and may improve security marginally. As a result, it may be used only for noncritical applications operating on nonsensitive data. Java's default seed uses the system's time in milliseconds. This exception is not recommended for applications requiring high security (for instance, session IDs should not use this). When used, explicit documentation of this exception is encouragedrequired.
 Code Block
bgColor#ccccff

import java.util.Random;
// ...

Random number = new Random(); // Used only for demo purposes
int n;
//...
for (int i = 0; i < i<2020; i++)
 {
   // re-seedReseed generator
   number = new Random();
   // generateGenerate another random integer in the range [0, 20]
   n = number.nextInt(21);
   System.out.println(n);
}

For noncritical cases, such as adding some randomness to a game or unit testing, the use of class Random class is considered fineacceptable. However, we reiterate it is worth reiterating that the resulting low-entropy random numbers are not insufficiently random enough to be used for more serious security-critical applications, such as cryptography.
Risk Assessment
MSC02-J-EX1: Predictable sequences of pseudorandom numbers are required in some cases, such as when running regression tests of program behavior. Use of the insecure java.util.Random class is permitted in such cases. However, security-related applications may invoke this exception only for testing purposes; this exception may not be applied in a production context.
Risk Assessment
Predictable random number sequences can weaken the security of critical applications such as cryptography.
Rule
 Recommendation 
Severity
Likelihood
Remediation Cost
Priority
Level
 MSC30
MSC02-J
 high 
High
 probable 
Probable
 medium 
Medium
P12
L1
Automated Detection
...
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
...
Tool
Version
Checker
Description
CodeSonar
 Include Page
CodeSonar_V
CodeSonar_V
JAVA.HARDCODED.SEED
JAVA.LIB.RAND.FUNC
JAVA.CRYPTO.RCF
JAVA.CRYPTO.RA
JAVA.CRYPTO.RF
JAVA.CRYPTO.BASE64
JAVA.CRYPTO.WHAF
AVA.LIB.RAND.LEGACY.GEN
Hardcoded Random Seed (Java)
Insecure Random Number Generator (Java)
Risky Cipher Field (Java)
Risky Cryptographic Algorithm (Java)
Risky Cryptographic Field (Java)
Unsafe Base64 Encoding (Java)
Weak Hash Algorithm Field (Java)
Legacy Random Generator (Java)
Coverity7.5RISKY_CRYPTOImplemented
Parasoft Jtest
 Include Page
Parasoft_V
Parasoft_V
CRT.MSC02.SRDUse 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()'
SonarQube
 Include Page
SonarQube_V
SonarQube_V
S2245
Related Vulnerabilities
CVE-2006-6969 describes a vulnerability that enables attackers to guess session identifiers, bypass authentication requirements, and conduct cross-site request forgery attacks.
Related Guidelines
SEI CERT C Coding Standard
MSC30-C. Do not use the rand() function for generating pseudorandom numbers
...
SEI CERT C++ 
...
 Coding Standard
...
MSC50-CPP. Do not use 
...
std::rand() 
...
 for generating pseudorandom numbers
...
...
MITRE CWE
CWE-327, Use of a Broken or Risky Cryptographic Algorithm
CWE-330, Use of Insufficiently Random Values
CWE-332, Insufficient Entropy in PRNG
CWE-336, Same Seed in PRNG
CWE-337, Predictable Seed in PRNG
Bibliography

[API 2014
Class Random
 Class SecureRandom
[FindBugs 2008]
BC. Random objects created and used only once

[Monsch 2006]


...
Image Added Image Added Image Added 09|AA. Java References#MITRE 09]\] [CWE ID 330|http://cwe.mitre.org/data/definitions/330.html] "Use of Insufficiently Random Values", [CWE ID 327 |http://cwe.mitre.org/data/definitions/327.html], "Use of a Broken or Risky Cryptographic Algorithm," [CWE ID 330|http://cwe.mitre.org/data/definitions/330.html], "Use of Insufficiently Random Values", [CWE ID 333| http://cwe.mitre.org/data/definitions/333.html] "Failure to Handle Insufficient Entropy in TRNG", [CWE ID 332|http://cwe.mitre.org/data/definitions/332.html] "Insufficient Entropy in PRNG", [CWE ID 337|http://cwe.mitre.org/data/definitions/337.html] "Predictable Seed in PRNG", [CWE ID 336|http://cwe.mitre.org/data/definitions/336.html] "Same Seed in PRNG"MSC05-J. Make sensitive classes noncloneable      49. Miscellaneous (MSC)      99. The Void (VOID)