Pseudorandom number generators (PRNGs) use deterministic mathematical algorithms to produce a sequence of numbers with good statistical properties. However, the sequences of numbers produced fail to achieve true randomness. PRNGs usually start with an arithmetic seed value. The algorithm uses this seed to generate an output value and a new seed, which is used to generate the next value, and so on.
The Java API provides a PRNG, the java.util.Random
class. This PRNG is portable and repeatable. Consequently, two instances of the java.util.Random
class that are created using the same seed will generate identical sequences of numbers in all Java implementations. Seed values are often reused on application initialization or after every system reboot. In other cases, the seed is derived from the current time obtained from the system clock. An attacker can learn the value of the seed by performing some reconnaissance on the vulnerable target and can then build a lookup table for estimating future seed values.
Consequently, the java.util.Random
class must not be used either for securitycritical applications or for protecting sensitive data. Use a more secure random number generator, such as the java.security.SecureRandom
class.
This noncompliant code example uses the insecure java.util.Random
class. This class produces an identical sequence of numbers for each given seed value; consequently, the sequence of numbers is predictable.
import java.util.Random; // ... Random number = new Random(123L); //... for (int i = 0; i < 20; i++) { // Generate another random integer in the range [0, 20] int n = number.nextInt(21); System.out.println(n); } 
This compliant solution uses the java.security.SecureRandom
class to produce highquality random numbers:
import java.security.SecureRandom; import java.security.NoSuchAlgorithmException; // ... public static void main (String args[]) { SecureRandom number = new SecureRandom(); // Generate 20 integers 0..20 for (int i = 0; i < 20; i++) { System.out.println(number.nextInt(21)); } } 
This compliant solution uses the SecureRandom.getInstanceStrong()
method, introduced in Java 8, to use a strong RNG algorithm, if one is available.
import java.security.SecureRandom; import java.security.NoSuchAlgorithmException; // ... public static void main (String args[]) { try { SecureRandom number = SecureRandom.getInstanceStrong(); // Generate 20 integers 0..20 for (int i = 0; i < 20; i++) { System.out.println(number.nextInt(21)); } } catch (NoSuchAlgorithmException nsae) { // Forward to handler } } 
MSC02JEX0: Using the default constructor for java.util.Random
applies a seed value that is "very likely to be distinct from any other invocation of this constructor" [API 2014] and may improve security marginally. As a result, it may be used only for noncritical applications operating on nonsensitive data. Java's default seed uses the system's time in milliseconds. When used, explicit documentation of this exception is required.
import java.util.Random; // ... Random number = new Random(); // Used only for demo purposes int n; //... for (int i = 0; i < 20; i++) { // Reseed generator number = new Random(); // Generate another random integer in the range [0, 20] n = number.nextInt(21); System.out.println(n); } 
For noncritical cases, such as adding some randomness to a game or unit testing, the use of class Random
is acceptable. However, it is worth reiterating that the resulting lowentropy random numbers are insufficiently random to be used for more securitycritical applications, such as cryptography.
MSC02JEX1: Predictable sequences of pseudorandom numbers are required in some cases, such as when running regression tests of program behavior. Use of the insecure java.util.Random
class is permitted in such cases. However, securityrelated applications may invoke this exception only for testing purposes; this exception may not be applied in a production context.
Predictable random number sequences can weaken the security of critical applications such as cryptography.
Rule  Severity  Likelihood  Remediation Cost  Priority  Level 

MSC02J  High  Probable  Medium  P12  L1 
Tool  Version  Checker  Description 

Coverity  7.5  RISKY_CRYPTO  Implemented 
Parasoft Jtest  SECURITY.WSC.SRD  Implemented  
SonarQube  S2245 
CVE20066969 describes a vulnerability that enables attackers to guess session identifiers, bypass authentication requirements, and conduct crosssite request forgery attacks.
MSC30C. Do not use the rand() function for generating pseudorandom numbers  
MSC50CPP. Do not use std::rand() for generating pseudorandom numbers  
CWE327, Use of a Broken or Risky Cryptographic Algorithm CWE330, Use of Insufficiently Random Values CWE332, Insufficient Entropy in PRNG CWE336, Same Seed in PRNG CWE337, Predictable Seed in PRNG 
[API 2014]  
BC. Random objects created and used only once
 
