Insufficient Entropy |
Weakness ID: 331 (Weakness Base) | Status: Draft |
Description Summary
The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
Reference | Description |
---|---|
CVE-2001-0950 | Insufficiently random data used to generate session tokens using C rand(). Also, for certificate/key generation, uses a source that does not block when entropy is low. |
Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 330 | Use of Insufficiently Random Values | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 332 | Insufficient Entropy in PRNG | Development Concepts (primary)699 Research Concepts (primary)1000 |
ParentOf | Weakness Variant | 333 | Improper Handling of Insufficient Entropy in TRNG | Development Concepts (primary)699 Research Concepts (primary)1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Insufficient Entropy | ||
WASC | 11 | Brute Force |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
59 | Session Credential Falsification through Prediction |
J. Viega and G. McGraw. "Building Secure Software: How to Avoid Security Problems the Right Way". 2002. |