Insecure Random Seed
不安全的随机种子
描述
随机数生成器使用常量值进行种子播种,导致生成的数字是可预测的。
建议
为确保生成的随机值不可预测,请使用安全的伪随机数生成器 (PRNG),例如 Java 的 SecureRandom 和 Swift 的 SecRandomCopyBytes。
import java.security.SecureRandom;
public class SecureRandomExample {
public static void main(String[] args) {
SecureRandom secureRandom = new SecureRandom();
// Generating a random integer
int randomNumber = secureRandom.nextInt();
System.out.println("Random Integer: " + randomNumber);
// Generating a random double
double randomDouble = secureRandom.nextDouble();
System.out.println("Random Double: " + randomDouble);
// Generating a random byte array
byte[] randomBytes = new byte[10];
secureRandom.nextBytes(randomBytes);
System.out.println("Random Bytes: " + java.util.Arrays.toString(randomBytes));
}
}
import Security
func generateRandomBytes(count: Int) -> [UInt8]? {
var randomBytes = [UInt8](repeating: 0, count: count)
let status = SecRandomCopyBytes(kSecRandomDefault, count, &randomBytes)
guard status == errSecSuccess else {
print("Error generating random bytes: \(status)")
return nil
}
return randomBytes
}
if let randomBytes = generateRandomBytes(count: 10) {
print("Random Bytes: \(randomBytes)")
}
链接
- CWE-330: Use of Insufficiently Random Values
- MSC02-J. Generate strong random numbers (CERT Secure Coding)
标准
- OWASP_MASVS_L1:
- MSTG_CRYPTO_6
- OWASP_MASVS_L2:
- MSTG_CRYPTO_6
- PCI_STANDARDS:
- REQ_2_2
- REQ_6_2
- OWASP_MASVS_v2_1:
- MASVS_CRYPTO_1
- SOC2_CONTROLS:
- CC_2_1
- CC_4_1
- CC_6_7
- CC_7_1
- CC_7_2
- CC_7_4
- CC_7_5
- CNIL_FOR_DEVELOPERS:
- DEVELOPERS_4_1_4
- HIPAA_CONTROLS:
- SECURITY251
- SECURITY212
- SECURITY213