Same Seed in PRNG |
Weakness ID: 336 (Weakness Base) | Status: Draft |
Description Summary
A PRNG uses the same seed each time the product is initialized. If an attacker can guess (or knows) the seed, then he/she may be able to determine the "random" number produced from the PRNG.
Example 1
The following Java code uses the same seed value for a statistical PRNG on every invocation.
(Bad Code)
Example Language: Java
private static final long SEED = 1234567890;
public int generateAccountID() {
Random random = new Random(SEED);
return random.nextInt();
}
Don't reuse PRNG seeds. |
Phase: Implementation Consider a PRNG which re-seeds itself, as needed from a high quality pseudo-random output, like hardware devices. |
Phase: Implementation Perform FIPS 140-2 tests on data to catch obvious entropy problems. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 335 | PRNG Seed Error | Development Concepts (primary)699 Research Concepts (primary)1000 |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Potential Mitigations | ||||
2009-12-28 | CWE Content Team | MITRE | Internal | |
updated Potential Mitigations |