Same Seed in PRNG
Weakness ID: 336 (Weakness Base)Status: Draft
+ Description

Description Summary

A PRNG uses the same seed each time the product is initialized. If an attacker can guess (or knows) the seed, then he/she may be able to determine the "random" number produced from the PRNG.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Demonstrative Examples

Example 1

The following Java code uses the same seed value for a statistical PRNG on every invocation.

(Bad Code)
Example Language: Java 
private static final long SEED = 1234567890;
public int generateAccountID() {
Random random = new Random(SEED);
return random.nextInt();
}
+ Potential Mitigations

Don't reuse PRNG seeds.

Phase: Implementation

Consider a PRNG which re-seeds itself, as needed from a high quality pseudo-random output, like hardware devices.

Phase: Implementation

Perform FIPS 140-2 tests on data to catch obvious entropy problems.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class335PRNG Seed Error
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERSame Seed in PRNG
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2009-03-10CWE Content TeamMITREInternal
updated Potential Mitigations
2009-12-28CWE Content TeamMITREInternal
updated Potential Mitigations
Back to top