CSHARP.LIB.RAND.FUNC : Insecure Random Number Generator (C#)

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

CSHARP.LIB.RAND.FUNC : Insecure Random Number Generator (C#)

Summary

An insecure random number generator is used instead of a secure one.

In C#, the Random number can be generated with both the System.Random (cryptographically insecure) an the System.Security.Cryptography.RNGCryptoServiceProvide (cryptographically secure) class. However, the latter generates cryptographically secure random numbers and is hence preferred.

Properties

Class Name

Insecure Random Number Generator (C#)

Significance

security

Mnemonic

CSHARP.LIB.RAND.FUNC

Example

using System;
using System.Security.Cryptography;

namespace Random
{
  public class Random
  {
    public static void Main(string[] args)
    {
      System.Random r = new System.Random();                  // Insecure Random Number Generator (C#) warning issued here 
      int[] array = MkRandomArray(Math.Abs(r.Next() % 1000)); // Single-use Random Number Generator (C#) warning issued here 
      foreach (int i in array)
        Console.WriteLine(i);


      System.Random r2 = new System.Random(15);               // Two warnings issued here: 
                                                              // - Insecure Random Number Generator (C#) 
                                                              // - Hardcoded Random Seed (C#)
      for(int i = 0; i < 10; i++)
        Console.WriteLine("Random value with fixed seed: "+r.Next()); //  warning issued here 

    }
    private static int[] MkRandomArray(int length)
    {
      int[] result = new int[length];                         // Two warnings issued here 
                                                              // - Insecure Random Number Generator (C#)
                                                              // - Single-use Random Number Generator (C#)
      for (int pos = 0; pos < length; pos++)
        result[pos] = new System.Random().Next();
      return result;
    }
  }
}

In this example, the program could be modified as follows:

using System.Security.Cryptography;

private static RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();

public static void Main(string[] args)
{

  int[] array = MkRandomArray(Math.Abs(getRandomInt() % 1000));
  foreach (int i in array)
    Console.WriteLine(i);
}
private static int[] MkRandomArray(int length)
{
  int[] result = new int[length];
  for (int pos = 0; pos < length; pos++)
  {
    result[pos] = getRandomInt();
  }
  return result;
}

private static int getRandomInt() {
  byte[] buffer = new byte[4];
  rng.GetBytes(buffer);
  return BitConverter.ToInt32(buffer, 0);
}

Resolution

Use System.Security.Cryptography.RNGCryptoServiceProvider instead of System.Random. Store the random generator in a field instead of a local variable.

Relevant Configuration File Parameters

The following configuration file parameters affect checks for this warning class.