Insufficient Entropy
Weakness ID: 331 (Weakness Base)Status: Draft
+ Description

Description Summary

The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



+ Observed Examples
CVE-2001-0950Insufficiently random data used to generate session tokens using C rand(). Also, for certificate/key generation, uses a source that does not block when entropy is low.
+ Potential Mitigations

Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class330Use of Insufficiently Random Values
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant332Insufficient Entropy in PRNG
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant333Improper Handling of Insufficient Entropy in TRNG
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERInsufficient Entropy
WASC11Brute Force
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
59Session Credential Falsification through Prediction
+ References
J. Viega and G. McGraw. "Building Secure Software: How to Avoid Security Problems the Right Way". 2002.
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings