weak-pseudo-random-number-generator¶
Ensure weak, non-cryptographically secure pseudo-random number generator (PRNG) are not used.
Cryptographically Secure Pseudo-Random Number Generators (CSPRNG) should be used to generate cryptographic key materials because their outputs are indistinguishable from true randomness which is not the case for ordinary random number generators (PRNG).
Examples¶
Insecure Example
package main
import (
"crypto/rsa"
"fmt"
"log"
"math/rand"
"time"
)
func main() {
mathRand := rand.New(rand.NewSource(time.Now().UnixNano()))
privateKey, err := rsa.GenerateKey(mathRand, 2048)
if err != nil {
log.Fatal(err)
}
publicKey := &privateKey.PublicKey
fmt.Println("Private key:", privateKey)
fmt.Println("Public key:", publicKey)
}
Secure Example
package main
import (
"crypto/rand"
"crypto/rsa"
"fmt"
"log"
)
func main() {
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
log.Fatal(err)
}
publicKey := &privateKey.PublicKey
fmt.Println("Private key:", privateKey)
fmt.Println("Public key:", publicKey)
}