logo

Database

Scala Insecure Random Key Generation

Description

Detects the usage of insecure random number generators for cryptographic key generation in Scala code. Using weak random number generators for cryptographic operations can result in predictable keys, making the encryption vulnerable to attacks.

Weakness:

034 - Insecure generation of random numbers

Category: Probabilistic Techniques

Detection Strategy

    Check if javax.crypto package is imported in the source code

    Look for cryptographic operations that use weak/insecure random number generators

    Report vulnerability when cryptographic key generation relies on non-cryptographically secure random number generators

Vulnerable code example

import java.util.Random
import javax.crypto.spec.{IvParameterSpec, SecretKeySpec}
import javax.crypto.Cipher

object WeakCrypto {
  def encryptInsecure(data: Array[Byte]): Array[Byte] = {
    // VULNERABLE: Using predictable Random() for IV generation instead of SecureRandom
    val ivBytes = new Array[Byte](16)...

✅ Secure code example

import java.security.SecureRandom
import javax.crypto.spec.{IvParameterSpec, SecretKeySpec}
import javax.crypto.Cipher

object SecureCrypto {
  def encryptSecure(data: Array[Byte]): Array[Byte] = {
    // Use SecureRandom for cryptographically secure random numbers
    val secureRandom = new SecureRandom()...