Need

Prevent predictable sequences of random numbers

Context

• Usage of Elixir (1.11 and above) for building scalable and fault-tolerant applications
• Usage of Erlang/OTP for building scalable and fault-tolerant systems

Description

Non compliant code

        defmodule MyApp.TokenGenerator do
  def generate_token do
    :random.seed(:erlang.now())
    :random.uniform(100000)
  end
end
        
        

This code is vulnerable as it uses the :random.uniform function from Erlang which is not suitable for generating secure random numbers. Also, it uses :erlang.now to seed the random number generator, which can be predictable and hence lead to generating predictable random numbers.

Steps

• Avoid using the :random.uniform function for generating secure random numbers.
• Use :crypto.strong_rand_bytes function for generating secure random numbers.
• Use Base.encode16 function to convert the binary data to a hexadecimal string if needed.

Compliant code

        defmodule MyApp.TokenGenerator do
  def generate_token do
    :crypto.strong_rand_bytes(16) |> Base.encode16()
  end
end
        
        

This secure code uses the :crypto.strong_rand_bytes function for generating a binary string of random bytes, which is then converted into a hexadecimal string using Base.encode16. This ensures the generation of secure random numbers.

References

• 034. Insecure generation of random numbers