|ID: 331||Date: (C)2012-05-14 (M)2017-11-16|
|Type: weakness||Status: DRAFT|
|Abstraction Type: Base|
The software uses an algorithm or scheme that produces
insufficient entropy, leaving patterns or clusters of values that are more
likely to occur than others.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
Related Attack Patterns
|Access_ControlOther ||Bypass protection
mechanismOther ||An attacker could guess the random numbers generated and could gain
unauthorized access to a system if the random numbers are used for
authentication and authorization. |
|Implementation || ||Determine the necessary entropy to adequately provide for randomness
and predictability. This can be achieved by increasing the number of
bits of objects such as keys and seeds. || || |
|CWE-331 ChildOf CWE-905 ||Category ||CWE-888 || |
Demonstrative Examples (Details)
- The following code uses a statistical PRNG to create a URL for a
receipt that remains active for some period of time after a
purchase. (Demonstrative Example Id DX-46)
- This code generates a unique random identifier for a user's
session. (Demonstrative Example Id DX-45)
- CVE-2001-0950 : Insufficiently random data used to generate session tokens using C rand(). Also, for certificate/key generation, uses a source that does not block when entropy is low.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
|PLOVER || ||Insufficient Entropy || |
|WASC ||11 ||Brute Force || |
- John Viega Gary McGraw .Building Secure Software: How to Avoid Security Problems the
Right Way 1st Edition. Addison-Wesley. Published on 2002.