Improper Handling of Insufficient Entropy in TRNG
Weakness ID: 333 (Weakness Variant)Status: Draft
+ Description

Description Summary

True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.

Extended Description

The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



+ Common Consequences

A program may crash or block if it runs out of random numbers.

+ Likelihood of Exploit

Low to Medium

+ Demonstrative Examples

Example 1

(Bad Code)
Example Language:
while (1){
if (connection){

if (hwRandom()){

//use the random bytes
else (hwRandom()) {

//cancel the program
+ Potential Mitigations

Phase: Implementation

Rather than failing on a lack of random numbers, it is often preferable to wait for more numbers to be created.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base331Insufficient Entropy
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness Class703Failure to Handle Exceptional Conditions
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPFailure of TRNG
+ Content History
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings
2009-05-27CWE Content TeamMITREInternal
updated Description, Name
2009-10-29CWE Content TeamMITREInternal
updated Description, Other Notes
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Failure of TRNG
2009-05-27Failure to Handle Insufficient Entropy in TRNG