Non-cryptographic PRNG

From Guidance Share

Jump to: navigation, search

Contents

Description

The use of Non-cryptographic Pseudo-Random Number Generators (PRNGs) as a source for security can be very dangerous. The sequence of 'random' numbers are actually predictable.


Applies To

  • Languages: All languages.
  • Operating platforms: All platforms.


Example

rand() is the most commonly used non-cryptographic PRNG:

srand(time())
int randNum = rand();


Impact

  • Authentication: Potentially a weak source of random numbers could weaken the encryption method used for authentication of users. In this case, a password could potentially be discovered.


Vulnerabilities

  • Use of a non-cryptographic PRNG for cryptographic tasks (such as key generation).


Countermeasures

  • Design through Implementation: Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.


Vulnerability Patterns


How Tos

Personal tools