Insecure Random Seed

Insecure Random Seed

Risk: low

Description

Random number generator is seeded using constant value which results in the generation of predictable numbers.

Recommendation

To ensure generated random values are not predictable, use secure Pseudo Random Number Generators (PRNGs) like SecureRandom for Java and SecRandomCopyBytes for Swift.

Java

import java.security.SecureRandom;

public class SecureRandomExample {
    public static void main(String[] args) {
        SecureRandom secureRandom = new SecureRandom();

        // Generating a random integer
        int randomNumber = secureRandom.nextInt();
        System.out.println("Random Integer: " + randomNumber);

        // Generating a random double
        double randomDouble = secureRandom.nextDouble();
        System.out.println("Random Double: " + randomDouble);

        // Generating a random byte array
        byte[] randomBytes = new byte[10];
        secureRandom.nextBytes(randomBytes);
        System.out.println("Random Bytes: " + java.util.Arrays.toString(randomBytes));
    }
}

Swift

import Security

func generateRandomBytes(count: Int) -> [UInt8]? {
    var randomBytes = [UInt8](repeating: 0, count: count)
    let status = SecRandomCopyBytes(kSecRandomDefault, count, &randomBytes)

    guard status == errSecSuccess else {
        print("Error generating random bytes: \(status)")
        return nil
    }

    return randomBytes
}

if let randomBytes = generateRandomBytes(count: 10) {
    print("Random Bytes: \(randomBytes)")
}

Links

• CWE-330: Use of Insufficiently Random Values
• MSC02-J. Generate strong random numbers (CERT Secure Coding)

Standards

• OWASP_MASVS_L1:
  • MSTG_CRYPTO_6
• OWASP_MASVS_L2:
  • MSTG_CRYPTO_6
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
• OWASP_MASVS_v2_1:
  • MASVS_CRYPTO_1
• SOC2_CONTROLS:
  • CC_2_1
  • CC_4_1
  • CC_6_7
  • CC_7_1
  • CC_7_2
  • CC_7_4
  • CC_7_5