Rule Wars
All rules
CA5394Security Enabled by default: No

Do not use insecure randomness

Do not use insecure randomness

Microsoft docs

Description

Using a cryptographically weak pseudo-random number generator might allow an attacker to predict what security-sensitive value will be generated.

Cause

One of the methods of System.Random is invoked.

How to fix violations

If you need an unpredictable value for security, use a cryptographically strong random number generator like System.Security.Cryptography.RandomNumberGenerator or System.Security.Cryptography.RNGCryptoServiceProvider.

Example

using System;

class ExampleClass
{
    public void ExampleMethod(Random random)
    {
        var sensitiveVariable = random.Next();
    }
}

using System;
using System.Security.Cryptography;

class ExampleClass
{
    public void ExampleMethod(int toExclusive)
    {
        var sensitiveVariable = RandomNumberGenerator.GetInt32(toExclusive);
    }
}

When to suppress

It's safe to suppress warnings from this rule if you're sure that the weak pseudo-random numbers aren't used in a security-sensitive manner.

Your vote
Join a group to vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0