weak-pseudo-random-number-generator

Ensure weak, non-cryptographically secure pseudo-random number generator (PRNG) are not used.

Cryptographically Secure Pseudo-Random Number Generators (CSPRNG) should be used to generate cryptographic key materials because their outputs are indistinguishable from true randomness which is not the case for ordinary random number generators (PRNG).

Examples

Insecure Example

Go

package main

import (
    "crypto/rsa"
    "fmt"
    "log"
    "math/rand"
    "time"
)

func main() {
    mathRand := rand.New(rand.NewSource(time.Now().UnixNano()))
    privateKey, err := rsa.GenerateKey(mathRand, 2048)
    if err != nil {
        log.Fatal(err)
    }
    publicKey := &privateKey.PublicKey
    fmt.Println("Private key:", privateKey)
    fmt.Println("Public key:", publicKey)
}

Secure Example

Go

package main

import (
    "crypto/rand"
    "crypto/rsa"
    "fmt"
    "log"
)

func main() {
    privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
    if err != nil {
        log.Fatal(err)
    }

    publicKey := &privateKey.PublicKey

    fmt.Println("Private key:", privateKey)
    fmt.Println("Public key:", publicKey)
}