logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure generation of random numbers - Ruby

Need

Secure generation of random numbers

Context

  1. Usage of Ruby for building dynamic and object-oriented applications
  2. Usage of Ruby for building dynamic and object-oriented applications

Description

Insecure Code Example

def insecure_random_number
  rand(1000)
end

This function `insecure_random_number` generates a random number between 0 and 1000 using the `rand` function in Ruby. This function is insecure because it uses a pseudo-random number generator with a relatively small range of possible outputs (0-1000). The `rand` function in Ruby uses a deterministic algorithm to generate a sequence of numbers that appears to be random. However, if an attacker can observe enough of the sequence, they can predict the rest of the sequence. In other words, the `rand` function does not generate truly random numbers, and therefore should not be used in security-sensitive contexts where the unpredictability of the numbers is important. Furthermore, the small range of possible outputs (0-1000) increases the probability that an attacker could guess the number, especially if they can make multiple attempts. To mitigate this vulnerability, you should use a secure random number generator that is designed for cryptographic purposes and has a larger range of possible outputs.

Steps

  1. Replace the use of the 'rand' function with a cryptographically secure random number generator.
  2. Use a secure random number generator library or function provided by the programming language or framework.
  3. Ensure that the random number generator used has a sufficient range and entropy to generate unpredictable and secure random numbers.
  4. Test the updated code to ensure that the random number generation is secure and does not introduce any regressions or vulnerabilities.

Secure Code Example

require 'securerandom'

def secure_random_number
  SecureRandom.random_number(1000)
end

The previous code was using the `rand` function to generate random numbers, which is not cryptographically secure. This could allow an attacker to guess the generation sequence after a short time or predict results using probabilistic methods. The updated code uses the `SecureRandom` library, which is a part of the Ruby Standard Library. The `SecureRandom.random_number` function generates a random number that is cryptographically secure, meaning it's suitable for generating session keys in HTTP cookies, etc. This function generates a float number between 0.0 and the argument provided, in this case, 1000. If you need an integer, you can use the `to_i` method to convert the float to an integer. This change ensures that the random number generation is secure and unpredictable, reducing the risk of an attacker being able to predict the random numbers generated by the application.

References

  • 034 - Insecure generation of random numbers

    • Last updated

    2023/09/18