Insecure Generation of Random Numbers

Need

Prevent predictable sequences of random numbers

Context

• Usage of Elixir (1.11 and above) for building scalable and fault-tolerant applications

• Usage of Erlang/OTP for building scalable and fault-tolerant systems

Description

1. Non compliant code

defmodule MyApp.TokenGenerator do
  def generate_token do
    :random.seed(:erlang.now())
    :random.uniform(100000)
  end
end

This code is vulnerable as it uses the :random.uniform function from Erlang which is not suitable for generating secure random numbers. Also, it uses :erlang.now to seed the random number generator, which can be predictable and hence lead to generating predictable random numbers.

2. Steps

• Avoid using the :random.uniform function for generating secure random numbers.

• Use :crypto.strong_rand_bytes function for generating secure random numbers.

• Use Base.encode16 function to convert the binary data to a hexadecimal string if needed.

3. Secure code example

defmodule MyApp.TokenGenerator do
  def generate_token do
    :crypto.strong_rand_bytes(16) |> Base.encode16()
  end
end

This secure code uses the :crypto.strong_rand_bytes function for generating a binary string of random bytes, which is then converted into a hexadecimal string using Base.encode16. This ensures the generation of secure random numbers.

References

• 034. Insecure Generation of Random Numbers

On this page