Insufficient Entropy in PRNG |
Weakness ID: 332 (Weakness Variant) | Status: Draft |
Description Summary
Scope | Effect |
---|---|
Availability | If a pseudo-random number generator is using a limited entropy source which runs out (if the generator fails closed), the program may pause or crash. |
Authentication | If a PRNG is using a limited entropy source which runs out, and the generator fails open, the generator could produce predictable random numbers. Potentially a weak source of random numbers could weaken the encryption method used for authentication of users. In this case, potentially a password could be discovered. |
Example 1
Phase: Implementation Perform FIPS 140-2 tests on data to catch obvious entropy problems. |
Phase: Implementation Consider a PRNG that re-seeds itself as needed from high-quality pseudo-random output, such as hardware devices. |
Phase: Architecture and Design When deciding which PRNG to use, look at its sources of entropy. Depending on what your security needs are, you may need to use a random number generator that always uses strong random data -- i.e., a random number generator that attempts to be strong but will fail in a weak way or will always provide some middle ground of protection through techniques like re-seeding. Generally, something that always provides a predictable amount of strength is preferable. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Base | 331 | Insufficient Entropy | Development Concepts (primary)699 Research Concepts (primary)1000 |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
CLASP | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Relationships, Taxonomy Mappings | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Potential Mitigations | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Potential Mitigations |