Use of cryptographically weak Pseudo-Random Number Generator (PRNG)
Description
Depending on the context, generating weak random numbers may expose cryptographic functions which rely on these numbers to be exploitable. When generating numbers for sensitive values such as tokens, nonces, and cryptographic keys, it is recommended that the `RandomNumberGenerator` class be used.
Examples
Insecure Code
c#
Random RNG = new Random(); Int32 randInt = RNG.Next(32000);Secure Code
c#
Int32 randInt = RandomNumberGenerator.GetInt32(32000);Remediation
Replace the `Random` class with `RandomNumberGenerator` for generating cryptographically secure random numbers.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0445 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-338 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | random number generator, cryptographic security |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |