java.security — weak random
Use of Cryptographically Weak Pseudo-Random Number Generator SHA1PRNG
This rule identifies instances where the Java SecureRandom class is instantiated with the SHA1PRNG algorithm. While SHA1PRNG has been widely used, it is considered less secure and potentially vulnerable compared to newer algorithms available. The use of stronger algorithms is recommended to ensure the cryptographic strength of random numbers.
The SHA1PRNG algorithm for SecureRandom may not provide a sufficiently strong
level of randomness for security-sensitive applications. SHA-1 has been
found to be weaker against collision attacks, and while SHA1PRNG is not
directly equivalent to SHA-1, its association and the lack of transparency
in its implementation across different Java platforms raise concerns about
its suitability and security. Modern cryptographic applications require
stronger guarantees of randomness to prevent attacks.
Example
| SecureRandomSHA1PRNG.java | |
|---|---|
Example Output
> precli tests/unit/rules/java/stdlib/java_security/examples/SecureRandomSHA1PRNG.java
⚠️ Warning on line 6 in tests/unit/rules/java/stdlib/java_security/examples/SecureRandomSHA1PRNG.java
JAV004: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
The SecureRandom algorithm 'SHA1PRNG' may not provide sufficient entropy.
Remediation
It is recommended to use SecureRandom without specifying an algorithm,
allowing the Java runtime to select the strongest available algorithm, or
explicitly specify a more secure algorithm like NativePRNG or DRBG where
available and appropriate for the application's requirements. This ensures
the use of secure and up-to-date algorithms for random number generation.
| SecureRandomSHA1PRNG.java | |
|---|---|
Default Configuration
See also
Info
New in version 0.5.0