계: Security Features

소프트웨어 보안은 보안 소프트웨어가 아닙니다. 여기서는 인증, 액세스 제어, 기밀성, 암호화, 권한 관리 등의 항목에 대해 설명합니다.

Insecure Randomness: Hardcoded Seed

Abstract

시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다.

Explanation

시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다. 의사 난수 발생기(예: CL_ABAP_RANDOM 클래스 또는 해당 변형)에서 특정 상수 값을 사용하여 시드가 생성되면 다수의 PRNG 출력을 수집할 수 있는 공격자가 GET_NEXT, INT 및 값을 반환하거나 할당하는 이와 유사한 메서드를 통해 반환되는 값을 예측할 수 있게 됩니다.

예제 1: 발췌한 다음 내용에서는 random_gen2 객체에서 생성되는 값을 random_gen1 객체에서 예측할 수 있습니다.


		DATA: random_gen1 TYPE REF TO cl_abap_random,
			  random_gen2 TYPE REF TO cl_abap_random,
			  var1 TYPE i,
			  var2 TYPE i.

		random_gen1 = cl_abap_random=>create( seed = '1234' ).

		DO 10 TIMES.
			CALL METHOD random_gen1->int
				RECEIVING
			value  = var1.

			WRITE:/ var1.
		ENDDO.

		random_gen2 = cl_abap_random=>create( seed = '1234' ).

		DO 10 TIMES.
			CALL METHOD random_gen2->int
				RECEIVING
			value  = var2.

			WRITE:/ var2.
		ENDDO.

이 예제에서는 의사 난수 발생기 random_gen1 및 random_gen2에서는 동일한 시드 값이 생성되었으므로 var1 = var2입니다.

References

[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley

[2] Standards Mapping - Common Weakness Enumeration CWE ID 336

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450

[4] Standards Mapping - FIPS200 MP

[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)

[9] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography

[10] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage

[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1

[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design

[27] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330

[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

desc.structural.abap.insecure_randomness_hardcoded_seed

Abstract

시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다.

Explanation

시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다. 의사 난수 발생기(예: rand())에서 특정 값(srand(unsigned int) 같은 함수 사용)을 사용하여 시드가 생성되면 다수의 PRNG 출력을 수집할 수 있는 공격자가 rand() 및 값을 반환하거나 할당하는 이와 유사한 메서드를 통해 반환되는 값을 예측할 수 있게 됩니다.

예제 1: 첫 번째 2개 블록이 동일한 시드로 시작하므로 의사 난수 발생기(PRNG)가 생성하는 값을 예측할 수 있습니다.


        srand(2223333);
        float randomNum = (rand() % 100);
        syslog(LOG_INFO, "Random: %1.2f", randomNum);
        randomNum = (rand() % 100);
        syslog(LOG_INFO, "Random: %1.2f", randomNum);

        srand(2223333);
        float randomNum2 = (rand() % 100);
        syslog(LOG_INFO, "Random: %1.2f", randomNum2);
        randomNum2 = (rand() % 100);
        syslog(LOG_INFO, "Random: %1.2f", randomNum2);

        srand(1231234);
        float randomNum3 = (rand() % 100);
        syslog(LOG_INFO, "Random: %1.2f", randomNum3);
        randomNum3 = (rand() % 100);
        syslog(LOG_INFO, "Random: %1.2f", randomNum3);

이 예제에서는 randomNum1 및 randomNum2의 결과에서 동일하게 시드가 생성되었기 때문에 의사 난수 발생기 srand(2223333)의 시드를 생성하는 호출이 끝난 후 rand()를 호출할 때마다 동일한 호출 순서로 동일한 출력 결과가 생성됩니다. 예를 들어 출력은 다음과 같을 수 있습니다.


Random: 32.00
Random: 73.00
Random: 32.00
Random: 73.00
Random: 15.00
Random: 75.00

이 결과는 난수와는 거리가 멉니다.

References

[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley

[2] Elaine Barker and John Kelsey NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators NIST

[3] Elaine Barker and John Kelsey NIST DRAFT Special Publication 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation NIST

[4] Elaine Barker and John Kelsey DRAFT NIST Special Publication 800-90C: Recommendation for Random Bit Generator (RBG) Constructions NIST

[5] Standards Mapping - Common Weakness Enumeration CWE ID 336

[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450

[7] Standards Mapping - FIPS200 MP

[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)

[12] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography

[13] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage

[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1

[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design

[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330

[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

desc.semantic.cpp.insecure_randomness_hardcoded_seed

Abstract

시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다.

Explanation

시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다. 의사 난수 발생기(PRNG)에서 특정 값(math.Rand.New(Source) 같은 함수 사용)을 사용하여 시드가 생성되면 다수의 PRNG 출력을 수집할 수 있는 공격자가 math.Rand.Int() 및 값을 반환하거나 할당하는 이와 유사한 메서드를 통해 반환되는 값을 예측할 수 있게 됩니다.

예제 1: 첫 번째 2개 블록이 동일한 시드로 시작하므로 의사 난수 발생기(PRNG)가 생성하는 값을 예측할 수 있습니다.


  r := rand.New(rand.NewSource(12345))
  i := r.nextInt()
  
  r.Seed(12345)
  j := r.nextInt()

이 예에서 PRNG는 동일하게 시드가 생성되었기 때문에 의사 난수 발생기(randomGen.Seed(12345))의 시드를 생성한 호출 이후의 모든 nextInt() 호출은 동일한 출력과 동일한 순서로 나타납니다.

References

[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley

[2] MSC02-J. Generate strong random numbers CERT

[3] MSC03-J. Never hard code sensitive information CERT

[4] Standards Mapping - Common Weakness Enumeration CWE ID 336

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450

[6] Standards Mapping - FIPS200 MP

[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)

[11] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography

[12] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage

[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1

[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design

[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330

[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II

desc.semantic.golang.insecure_randomness_hardcoded_seed

Abstract

시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다.

Explanation

시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다. 의사 난수 발생기(예: Random)에서 특정 값(Random.setSeed() 같은 함수 사용)을 사용하여 시드가 생성되면 다수의 PRNG 출력을 수집할 수 있는 공격자가 Random.nextInt() 및 값을 반환하거나 할당하는 이와 유사한 메서드를 통해 반환되는 값을 예측할 수 있게 됩니다.

예제 1:Random 개체 randomGen2를 통해 생성되는 값을 Random 개체 randomGen1에서 예측할 수 있습니다.


        Random randomGen1 = new Random();
        randomGen1.setSeed(12345);
        int randomInt1 = randomGen1.nextInt();
        byte[] bytes1 = new byte[4];
        randomGen1.nextBytes(bytes1);

        Random randomGen2 = new Random();
        randomGen2.setSeed(12345);
        int randomInt2 = randomGen2.nextInt();
        byte[] bytes2 = new byte[4];
        randomGen2.nextBytes(bytes2);

이 예제에서는 의사 난수 발생기 randomGen1 및 randomGen2는 동일하게 시드가 생성되었기 때문에 randomInt1 == randomInt2이고 해당하는 배열 bytes1[] 및 bytes2[]의 값이 같습니다.

References

[1] Java Cryptography Architecture Oracle

[2] J. Viega, G. McGraw Building Secure Software Addison-Wesley

[3] MSC02-J. Generate strong random numbers CERT

[4] MSC03-J. Never hard code sensitive information CERT