How good are algorithms used in Javascript Math.random() in different browsers? Is it okay to use it for generating salts and one-time passwords?
How many bits from one random I can use?
asked Apr 13, 2011 at 15:31
Add a comment
|
8 Answers
Nope; JavaScript's Math.random() function is not a cryptographically-secure random number generator. You are better off using the JavaScript Crypto Library's Fortuna implementation which is a strong pseudo-random number generator (have a look at src/js/Clipperz/Crypto/PRNG.js), or the Web Crypto API for getRandomValues
- Here is a detailed explanation: How trustworthy is javascript's random implementation in various browsers?
- Here is how to generate a good crypto grade random number: Secure random numbers in javascript?
answered Apr 13, 2011 at 15:36
-
4As an addendum, though, you don't need a cryptographically secure PRNG to generate a salt. Salts need only be unique, and generated nondeterministically. Commented Apr 13, 2011 at 23:55
-
Good point but again, a short password + salt may fall victim to rainbow tables. Where cryptography is involved, it is always favorable to use crypto-grade RNGs. Commented Apr 14, 2011 at 0:40
-
1@Teoman The length of the salt and password are independent of the source of the salt, though. And yes, cryptographically secure is generally a safer bet. Commented Apr 14, 2011 at 3:35
-
It doesn't have to be short actually, being predictable (as in random()) makes it a very good target for dictionary/table attacks.. Commented Apr 14, 2011 at 3:38
-
@Teoman That's why I said 'deterministic'. It's only predictable if either the first bits provide information about the subsequent ones, reducing entropy - which only very poor RNGs like LCGs will do - or if the salt can be predicted from other information such as the password. Neither of those are the case for even half-decent non-cryptographic PRNGs. Commented Apr 14, 2011 at 5:48
It is not secure at all, and in some cases was so predictable you could rebuild internal state of the PRNG, deduct the seed and thus could use it to track people across websites even if they didn't use cookies, hid behind onion routing etc...
2022 edit since this answer still gets upvotes: use Crypto.getRandomValues if you need a cryptographic RNG in JavaScript
http://landing2.trusteer.com/sites/default/files/Temporary_User_Tracking_in_Major_Browsers.pdf a 2008 paper exposing the user tracking possibilities of the browser weak PRNG
http://dl.packetstormsecurity.net/papers/general/Google_Chrome_3.0_Beta_Math.random_vulnerability.pdf a later (2009) Chrome vulnerability, as the problem was already well known
-
Thank you for the link, it's a good example how weak might be a browser's PRNG. Commented Apr 13, 2011 at 15:58
-
The paper I wanted to link is actually the more generic trusteer.com/files/… Commented Apr 13, 2011 at 16:13
-
As of March 2013, window.crypto.getRandomValues is an "experimental technology" available since Chrome 11 and Firefox 21 that lets you get cryptographically random values. Also, see getRandomValues from the lastest W3C Web Cryptography API draft.
Description:
If you provide an integer-based TypedArray (i.e.
Int8Array,Uint8Array,Int16Array,Uint16Array,Int32Array, orUint32Array), the function is going fill the array with cryptographically random numbers. The browser is supposed to be using a strong (pseudo) random number generator. The method throws the QuotaExceededError if the requested length is greater than 65536 bytes.
Example:
var array = new Uint32Array(10);
window.crypto.getRandomValues(array);
console.log("Your lucky numbers:");
for (var i = 0; i < array.length; i++) {
console.log(array[i]);
}
Also, an answer to How random is JavaScript's Math.random? refers to Temporary user tracking in major browsers and Cross-domain information leakage and attacks from 2008 which discusses how the JavaScript Math.random() function leaks information.
Update: For current browser support status, check out the Modern.IE Web Crypto API section, which also links to the Chrome, Firefox, and Safari bug reports.
answered Mar 28, 2013 at 14:12
-
Current link for the status of the Web Crypto API can be found here: developer.microsoft.com/en-us/microsoft-edge/platform/status/…– peaterCommented Aug 21, 2019 at 14:16
Because you cannot know the exact implementation of the browser (except for closed user groups like for your business intranet) I would generally consider the RNG weak.
Even if you can identify the browser you don't know if the browser itself or any other browser's agent ID is manipulated. If you can you should generate the number on the server.
Even if you include a good PRNG in your JavaScript your server cannot know whether the request from the client originates from an unmodified script. If the number goes into your database and/or is used as a cryptographic tool it is no good idea to trust the data from the client at all. That is true not only for validity (You do validate all data coming from the client, don't you?) but also for general properties like randomness.
answered Apr 13, 2011 at 15:42
Here is my proposed solution in Typescript:
/**
* This method returns a random number between 0 and 1 (Compatible with Math.random())
* // Compliant for security-sensitive use cases
* @returns Random number between 0 and 1.
*/
export const randomNumber = (): number => {
// RandomBytes generates 4 random bytes, which are then read as a 32-bit unsigned integer in little endian.
// The max value of a 32bit unsigned int is 0xFFFFFFFF (or 4,294,967,295 in decimal).
// By dividing the randomly generated 32bit int by its max value you get a value between 0 and 1.
// eslint-disable-next-line unicorn/number-literal-case
return randomBytes(4).readUInt32LE(0) / 0xffffffff;
};
Just want to clarify the @Saeger answer. To be compatible with Math.random() result, we have to divide on 0xffffffff + 1, because the result should be from 0 to <1 as mentioned here:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/random
So the correct secure version for Math.random() in browser is:
crypto.getRandomValues(new Uint32Array(1))[0] / (0xFFFFFFFF + 1)
I am not a security expert, but that is what I have found researching the internet.
Also number 0xFFFFFFFF + 1 can be represented as 4294967296 or 2 ** 32
If you are looking for a custom random number generator. Which also passes cryptography check.. Something simple as below is enough.
function numberGenerator(max){
let num = (Date.now() +'');
num = parseInt(num.at(num.length-1));
while(num > max){
num -= max
}
return num;
}
This can return you a random number between 0-9 which is lower than the max you provide in argument. Feel free to modify it, or just call it twice for 2 digits and concat them.
Math.random() is not cryptographically secure. Also Veracode will point this occurrence with
CWE-331 (Insufficient Entropy)
We could make use of SecureRandom to implement similar functionality.
new SecureRandom().nextDouble();
-
6
-
4The "SecureRandom.nextDouble" seems to be in Java; which is useless to us in JavaScript. Commented Apr 29, 2022 at 20:45