...
Consequently, the java.util.Random
class must not be used either for security-critical applications or for protecting sensitive data. Use a more secure random number generator, such as the java.security.SecureRandom
class.
...
This noncompliant code example uses the insecure java.util.Random
class. This class produces an identical sequence of numbers for each given seed value; consequently, the sequence of numbers is predictable.
Code Block | ||
---|---|---|
| ||
import java.util.Random;
// ...
Random number = new Random(123L);
//...
for (int i = 0; i < 20; i++) {
// Generate another random integer in the range [0, 20]
int n = number.nextInt(21);
System.out.println(n);
}
|
...
This compliant solution uses the java.security.SecureRandom
class to produce high-quality random numbers:
Code Block | ||
---|---|---|
| ||
import java.security.SecureRandom;
import java.security.NoSuchAlgorithmException;
// ...
public static void main (String args[]) {
SecureRandom number = new SecureRandom();
// Generate 20 integers 0..20
for (int i = 0; i < 20; i++) {
System.out.println(number.nextInt(21));
}
}
|
Compliant Solution (Java 8)
This compliant solution uses the SecureRandom.getInstanceStrong()
method, introduced in Java 8, to use a strong RNG algorithm, if one is available.
Code Block | ||
---|---|---|
| ||
import java.security.SecureRandom; import java.security.NoSuchAlgorithmException; // ... public static void main (String args[]) { try { SecureRandom number = SecureRandom.getInstancegetInstanceStrong("SHA1PRNG"); // Generate 20 integers 0..20 for (int i = 0; i < 20; i++) { System.out.println(number.nextInt(21)); } } catch (NoSuchAlgorithmException nsae) { // Forward to handler } } |
Exceptions
unmigratedMSC02-wikiJ-markup*MSC02-EX0:* Using the default constructor for {{java.util.Random
}} applies a seed value that is "very likely to be distinct from any other invocation of this constructor" \ [[API 2006|AA. References#API 06]\] and may improve security marginally. As a result, it may be used only for noncritical applications operating on nonsensitive data. Java's default seed uses the system's time in milliseconds. When used, explicit documentation of this exception is API 2014] and may improve security marginally. As a result, it may be used only for noncritical applications operating on nonsensitive data. Java's default seed uses the system's time in milliseconds. When used, explicit documentation of this exception is required.
Code Block | ||
---|---|---|
| ||
import java.util.Random; // ... Random number = new Random(); // Used only used for demo purposes int n; //... for (int i = 0; i < 20; i++) { // Re-seedReseed generator number = new Random(); // Generate another random integer in the range [0, 20] n = number.nextInt(21); System.out.println(n); } |
For noncritical cases, such as adding some randomness to a game or unit testing, the use of class Random
is acceptable. However, it is worth reiterating that the resulting low-entropy random numbers are insufficiently random to be used for more security-critical applications, such as cryptography.
MSC02-J-EX1: Predictable sequences of pseudorandom numbers are required in some cases, such as when running regression tests of program behavior. Use of the insecure java.util.Random
class is permitted in such cases. However, security-related applications may invoke this exception only for testing purposes; this exception may not be applied in a production context.
...
Predictable random number sequences can weaken the security of critical applications such as cryptography.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MSC02-J |
High |
Probable |
Medium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| JAVA.HARDCODED.SEED | Hardcoded Random Seed (Java) | ||||||
Coverity | 7.5 | RISKY_CRYPTO | Implemented | ||||||
Parasoft Jtest |
| CRT.MSC02.SRD | Use 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()' | ||||||
SonarQube |
| S2245 |
Related Vulnerabilities
CVE-2006-6969 describes a vulnerability that enables attackers to guess session identifiers, bypass authentication requirements, and conduct cross-site request forgery attacks.
Related Guidelines
MSC30-C. Do not use the rand() function for generating pseudorandom numbers | |
, Use of a |
Broken or Risky Cryptographic Algorithm |
, Use of |
Insufficiently Random Values |
, Insufficient |
Entropy in PRNG |
, Same |
Seed in PRNG |
, Predictable |
Seed in PRNG |
Bibliography
...
[ |
http://java.sun.com/javase/6/docs/api/java/util/Random.html]
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d3832f88-0c6f-49fd-a87e-69536712945e"><ac:plain-text-body><![CDATA[
[[API 2006
AA. References#API 06]]
[Class SecureRandom
http://java.sun.com/javase/6/docs/api/java/security/SecureRandom.html]
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="de99ea26-5951-4b18-a1e1-f3e38b14d51d"><ac:plain-text-body><![CDATA[
[[FindBugs 2008
]]></ac:plain-text-body></ac:structured-macro>
AA. References#Monsch 06]]
]]></ac:plain-text-body></ac:structured-macro>
] |
...