Page History

Pseudorandom number generators (PRNGs) use deterministic mathematical algorithms to produce a sequence of numbers with good statistical properties. However, but the sequences of numbers produced fail to achieve true randomness. PRNGs usually start with an arithmetic seed value. The algorithm uses this seed to generate an output value and a new seed, which is used to generate the next value, and so on.

The Java API provides a PRNG, the java.util.Random class. This PRNG is portable and repeatable. Consequently, two instances of the java.util.Random class that are created using the same seed will generate identical sequences of numbers in all Java implementations. Seed values are often reused on application initialization or after every system reboot. In other cases, the seed is derived from the current time obtained from the system clock. An attacker can learn the value of the seed by performing some reconnaissance on the vulnerable target , and can then build a lookup table for estimating future seed values.

Consequently, the java.util.Random class must not be used either for security-critical applications or for protecting sensitive data. Use a more secure random number generator, such as the java.security.SecureRandom class.

...

This noncompliant code example uses the insecure java.util.Random class. This class produces an identical sequence of numbers for each given seed value; consequently, the sequence of numbers fails to achieve true randomnessis predictable.

Code Block

bgColor	#FFCCCC


import java.util.Random;
// ...

Random number = new Random(123L);
//...
for (int i = 0; i < 20; i++) {
  // Generate another random integer in the range [0, 20]
  int n = number.nextInt(21);
  System.out.println(n);
}

...

This compliant solution uses the java.security.SecureRandom class to produce high-quality random numbers:

Code Block

bgColor	#ccccff

import java.security.SecureRandom;
import java.security.NoSuchAlgorithmException;
// ...

public static void main (String args[]) {
  SecureRandom number = new SecureRandom();
  // Generate 20 integers 0..20
  for (int i = 0; i < 20; i++) {
    System.out.println(number.nextInt(21));
  }
}

Compliant Solution (Java 8)

This compliant solution uses the SecureRandom.getInstanceStrong() method, introduced in Java 8, to use a strong RNG algorithm, if one is available.

Code Block

bgColor	#ccccff


import java.security.SecureRandom;
import java.security.NoSuchAlgorithmException;
// ...

public static void main (String args[]) {
   try {
     SecureRandom number = SecureRandom.getInstancegetInstanceStrong("SHA1PRNG");
     // Generate 20 integers 0..20
     for (int i = 0; i < 20; i++) {
       System.out.println(number.nextInt(21));
     }
   } catch (NoSuchAlgorithmException nsae) { 
     // Forward to handler
   }
}

Exceptions

MSC02-J-EX0: Using the default constructor for java.util.Random applies a seed value that is "very likely to be distinct from any other invocation of this constructor" (API 2006), [API 2014] and may improve security marginally. As a result, it may only be used only for non-critical noncritical applications operating on non-sensitive nonsensitive data. Java's default seed uses the system's time in milliseconds. When used, explicit documentation of this exception is required.

Code Block

bgColor	#ccccff


import java.util.Random;
// ...

Random number = new Random(); // Used only used for demo purposes
int n;
//...
for (int i = 0; i < i<2020; i++) {
  // Re-seedReseed generator
  number = new Random();
  // Generate another random integer in the range [0, 20]
  n = number.nextInt(21);
  System.out.println(n);
}

For noncritical cases, such as adding some randomness to a game or unit testing, the use of class Random is acceptable. However, it is worth reiterating that the resulting low-entropy random numbers are insufficiently random to be used for more serious security-critical applications, such as cryptography.

MSC02-J-EX1: There are cases where predictable Predictable sequences of pseudo-random pseudorandom numbers are required in some cases, such as when running regression tests of program behavior. Use of the insecure java.util.Random class is permitted in such cases. However, security-related applications may invoke this exception only for testing purposes; it is inapplicable this exception may not be applied in a production context.

Risk Assessment

Predictable random number sequences can weaken the security of critical applications such as cryptography.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
MSC02-J

high

High

probable

Probable

medium

Medium

P12

L1

Automated Detection

Tool

Version

Checker

Description

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

JAVA.HARDCODED.SEED
JAVA.LIB.RAND.FUNC
JAVA.CRYPTO.RCF
JAVA.CRYPTO.RA
JAVA.CRYPTO.RF
JAVA.CRYPTO.BASE64
JAVA.CRYPTO.WHAF
AVA.LIB.RAND.LEGACY.GEN

Hardcoded Random Seed (Java)
Insecure Random Number Generator (Java)
Risky Cipher Field (Java)
Risky Cryptographic Algorithm (Java)
Risky Cryptographic Field (Java)
Unsafe Base64 Encoding (Java)
Weak Hash Algorithm Field (Java)
Legacy Random Generator (Java)

Coverity

7.5

RISKY_CRYPTO

Implemented

Parasoft Jtest

Include Page

	Parasoft_V
	Parasoft_V

CRT.MSC02.SRD

Use 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()'

SonarQube

Include Page

	SonarQube_V
	SonarQube_V

S2245

Related Vulnerabilities

CVE-2006-6969 describes a vulnerability that enables attackers to guess session identifiers, bypass authentication requirements, and conduct cross-site request forgery attacks.

Related Guidelines

SEI CERT C

Secure

Coding Standard	MSC30-C. Do not use the rand() function for generating pseudorandom numbers
SEI CERT C++

Secure

Coding Standard

MSC30

MSC50-CPP. Do not use

the

std::rand()

function

for generating pseudorandom numbers
MITRE CWE	CWE

ID

-327,

"

Use of a Broken or Risky Cryptographic Algorithm

"

CWE

ID

-330,

"

Use of Insufficiently Random Values

"

CWE

ID

-332,

"

Insufficient Entropy in PRNG

"

CWE ID 333, "Improper Handling of Insufficient Entropy in TRNG"

CWE ID

CWE-336,

"

Same Seed in PRNG

"

CWE

ID

-337,

"

Predictable Seed in PRNG

"

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9a76e0ec-f191-45ca-9c38-542e602e4da7"><ac:plain-text-body><![CDATA[	[[API 2006	https://www.securecoding.cert.org/confluence/display/java/AA.+Java+References#AA.JavaReferences-API06]]	[Class Random	http://java.sun.com/javase/6/docs/api/java/util/Random.html]	]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6d5e1289-5b17-46a0-92a4-96c90950d476"><ac:plain-text-body><![CDATA[	[[API 2006	https://www.securecoding.cert.org/confluence/display/java/AA.+Java+References#AA.JavaReferences-API06]]	[Class SecureRandom	http://java.sun.com/javase/6/docs/api/java/security/SecureRandom.html]	]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c23ebf01-9907-409f-9e55-de1aac66e41a"><ac:plain-text-body><![CDATA[	[[Find Bugs 2008	https://www.securecoding.cert.org/confluence/display/java/AA.+Java+References#AA.JavaReferences-FindBugs08]]	BC: Random objects created and used only once	]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d11cf4f2-05d6-4397-a3b4-fbd1460668a8"><ac:plain-text-body><![CDATA[	[[Monsch 2006	AA. Bibliography#Monsch 06]]		]]></ac:plain-text-body></ac:structured-macro>