Weak Random Generation

Overview

Applications use random values in many flows for security purposes, such as password recovery or session generation. However, not every value that seems random actually is. As a result, if an application relies on generators to produce values that can be predicted, then that application is vulnerable.

When random values can be predicted?

There are several conditions that may allow you to predict generated random values:

• Insufficient length of generated values (this usually means the lenght < 16 bytes).

• Short alphabet that is used for generation.

• Using static values for generation.

• Using values that can be easily guessed (for example, timestamp).

• Using statistical random number generators whose output can be reproduced.

Often, the fulfillment of one or more of the conditions above will result in the ability to predict generated values.

Random generation

Go

Weak generation:

• math/rand

Crypto-strong generation:

• crypto/rand

Java

Weak generation:

• java.util.Random
• org.apache.commons.lang3.RandomStringUtils

Crypto-strong generation:

• java.security.SecureRandom

  For a UNIX-like OS, the default strong generation algorithm is NativePRNGBlocking, which is based on /dev/random. As a result, SecureRandom.getInstanceStrong() will return a SecureRandom implementation that can block the current thread when the generateSeed or nextBytes methods is called.

References:

• Everything about Java's SecureRandom
• CRACKING THE ODD CASE OF RANDOMNESS IN JAVA
• elttam/rsu-cracker - RandomStringUtils/nextInt Cracker

Node.js

Weak generation:

• Math.random()

Crypto-strong generation:

• node:crypto

Python

Weak generation:

• random

Crypto-strong generation:

• secrets

Ruby

Weak generation:

• Random
• Kernel.rand

Crypto-strong generation:

• SecureRandom

UUID/GUID

Universally unique identifier (UUID) or globally unique identifier (GUID) is a 128-bit label used for information in computer systems. UUID/GUID has the following format:

123e4567-e89b-12d3-a456-426614174000

There are five versions of UUID/GUID versions defined in the RFC4122:

• Version 0 Only seen in the nil UUID/GUID 00000000-0000-0000-0000-000000000000.

• Version 1 The UUID/GUID is generated in a predictable manner based on:

  • The current time.

  • A randomly generated "clock sequence" which remains constant between UUIDs/GUIDs during the uptime of the generating system.

  • A "node ID", which is generated based on the system's MAC address if it is available.

• Version 3 The UUID/GUID is generated using an MD5 hash of a provided name and namespace.

• Version 4 The UUID/GUID is randomly generated.

• Version 5 The UUID/GUID is generated using a SHA1 hash of a provided name and namespace.

You can find the UUID/GUID version number directly after the second hyphen. For example, the UUID/GUID shown above is a version 4.

bcd510ca-3357-48d7-8e3f-1206b9c09632
              ^

As you can see there is only version 4 which uses a random number generator to generate the values. Therefore, other versions can be potentially predicted. In the references you can find a link to a tool that allows generating UUID/GUID of version 1 based on a creation time and a UUID/GUID sample.

References:

• Intruder - Cyber Security Research: In GUID We Trust
• intruder-io/guidtool: A tool to inspect and attack version 1 GUIDs