...
This compliant solution uses the java.security.SecureRandom class to produce high-quality random numbers.
| Code Block | ||
|---|---|---|
| ||
import java.security.SecureRandom;
import java.security.NoSuchAlgorithmException;
// ...
public static void main (String args[]) {
try {
SecureRandom number = SecureRandom.getInstance("SHA1PRNG");
// Generate 20 integers 0..20
for (int i = 0; i < 20; i++) {
System.out.println(number.nextInt(21));
}
} catch (NoSuchAlgorithmException nsae) {
// Forward to handler
}
}
|
...
MSC02-EX0: Using the default constructor for java.util.Random applies a seed value that is "very likely to be distinct from any other invocation of this constructor" (/[API 2006), /] and may improve security marginally. As a result, it may only be used for non-critical applications operating on non-sensitive data. Java's default seed uses the system's time in milliseconds. When used, explicit documentation of this exception is required.
| Code Block | ||
|---|---|---|
| ||
import java.util.Random;
// ...
Random number = new Random(); // only used for demo purposes
int n;
//...
for (int i=0; i<20; i++) {
// Re-seed generator
number = new Random();
// Generate another random integer in the range [0, 20]
n = number.nextInt(21);
System.out.println(n);
}
|
For noncritical non-critical cases, such as adding some randomness to a game or unit testing, the use of class Random is acceptable. However, it is worth reiterating that the resulting low entropy random numbers are insufficiently random to be used for more serious applications, such as cryptography.
...
MSC30-C. Do not use the rand() function for generating pseudorandom numbers | |
MSC30-CPP. Do not use the rand() function for generating pseudorandom numbers | |
CWE ID -327, "Use of a Broken or Risky Cryptographic Algorithm" | |
| CWE ID -330, "Use of Insufficiently Random Values" |
| CWE ID -332, "Insufficient Entropy in PRNG" |
| CWE ID -333, "Improper Handling of Insufficient Entropy in TRNG" |
| CWE ID -336, "Same Seed in PRNG" |
| CWE ID -337, "Predictable Seed in PRNG" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fa34dfd8ca100c71-08d5b421-433240a5-addfa5b9-bb977be3a284233bec54d315"><ac:plain-text-body><![CDATA[ | [[API 2006 | https://www.securecoding.cert.org/confluence/display/java/AA.+Java+References#AA.JavaReferences-API06]] | [Class Random | http://java.sun.com/javase/6/docs/api/java/util/Random.html] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="36b76d9574c4743c-132c7748-42e54f4d-b723ab04-7d925b2ef751dcb96775a963"><ac:plain-text-body><![CDATA[ | [[API 2006 | https://www.securecoding.cert.org/confluence/display/java/AA.+Java+References#AA.JavaReferences-API06]] | [Class SecureRandom | http://java.sun.com/javase/6/docs/api/java/security/SecureRandom.html] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ff285485416c0926-b79b0a62-495d43a6-aae5b587-0842df3e2a3a677804f51f96"><ac:plain-text-body><![CDATA[ | [[Find Bugs 2008 | https://www.securecoding.cert.org/confluence/display/java/AA.+Java+References#AA.JavaReferences-FindBugs08]] | BC: Random objects created and used only once | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0b9fcd7c1f851466-56f97f23-4d83406c-a564b3bc-2b5448ba3c63de2f0196f156"><ac:plain-text-body><![CDATA[ | [[Monsch 2006 | AA. Bibliography#Monsch 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
...