CWE 333

Improper Handling of Insufficient Entropy in TRNG

Weakness ID: 333 (Weakness Variant)

Status: Draft

Description

Description Summary

True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.

Extended Description

The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security.

Time of Introduction

Applicable Platforms

Languages

All

Common Consequences

Scope	Effect
Availability	A program may crash or block if it runs out of random numbers.

Likelihood of Exploit

Low to Medium

Demonstrative Examples

Example 1

(Bad Code)

Example Language: C

while (1){

if (connection){

if (hwRandom()){

//use the random bytes

}

else (hwRandom()) {

//cancel the program

}

Potential Mitigations

Phase: Implementation

Rather than failing on a lack of random numbers, it is often preferable to wait for more numbers to be created.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Base	331	Insufficient Entropy	Development Concepts (primary)699 Research Concepts (primary)1000
ChildOf	Weakness Class	703	Failure to Handle Exceptional Conditions	Research Concepts1000

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CLASP			Failure of TRNG

Content History

Submissions
Submission Date	Submitter	Organization	Source
	CLASP		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time of Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Description, Name
2009-10-29	CWE Content Team	MITRE	Internal
2009-10-29	updated Description, Other Notes
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	Failure of TRNG

2009-05-27	Failure to Handle Insufficient Entropy in TRNG