Insecure generation of random numbers - Ruby

Insecure generation of random numbers - Ruby

Need

Secure generation of random numbers

Context

  • Usage of Ruby for building dynamic and object-oriented applications
  • Usage of Ruby for building dynamic and object-oriented applications

Description

Non compliant code

        def insecure_random_number
  rand(1000)
end
        
        

This function insecure_random_number generates a random number between 0 and 1000 using the rand function in Ruby. This function is insecure because it uses a pseudo-random number generator with a relatively small range of possible outputs (0-1000).

The rand function in Ruby uses a deterministic algorithm to generate a sequence of numbers that appears to be random. However, if an attacker can observe enough of the sequence, they can predict the rest of the sequence.

In other words, the rand function does not generate truly random numbers, and therefore should not be used in security-sensitive contexts where the unpredictability of the numbers is important.

Furthermore, the small range of possible outputs (0-1000) increases the probability that an attacker could guess the number, especially if they can make multiple attempts.

To mitigate this vulnerability, you should use a secure random number generator that is designed for cryptographic purposes and has a larger range of possible outputs.

Steps

  • Replace the use of the 'rand' function with a cryptographically secure random number generator.
  • Use a secure random number generator library or function provided by the programming language or framework.
  • Ensure that the random number generator used has a sufficient range and entropy to generate unpredictable and secure random numbers.
  • Test the updated code to ensure that the random number generation is secure and does not introduce any regressions or vulnerabilities.

Compliant code

        require 'securerandom'

def secure_random_number
  SecureRandom.random_number(1000)
end
        
        

The previous code was using the rand function to generate random numbers, which is not cryptographically secure. This could allow an attacker to guess the generation sequence after a short time or predict results using probabilistic methods.

The updated code uses the SecureRandom library, which is a part of the Ruby Standard Library. The SecureRandom.random_number function generates a random number that is cryptographically secure, meaning it's suitable for generating session keys in HTTP cookies, etc.

This function generates a float number between 0.0 and the argument provided, in this case, 1000. If you need an integer, you can use the to_i method to convert the float to an integer.

This change ensures that the random number generation is secure and unpredictable, reducing the risk of an attacker being able to predict the random numbers generated by the application.

References