[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97559

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Insufficient Entropy

ID: 331Date: (C)2012-05-14   (M)2017-11-16
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design
  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Access_Control
Other
 
Bypass protection mechanism
Other
 
An attacker could guess the random numbers generated and could gain unauthorized access to a system if the random numbers are used for authentication and authorization.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 
 Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.
 
  

Relationships

Related CWETypeViewChain
CWE-331 ChildOf CWE-905 Category CWE-888  

Demonstrative Examples   (Details)

  1. The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase. (Demonstrative Example Id DX-46)
  2. This code generates a unique random identifier for a user's session. (Demonstrative Example Id DX-45)

Observed Examples

  1. CVE-2001-0950 : Insufficiently random data used to generate session tokens using C rand(). Also, for certificate/key generation, uses a source that does not block when entropy is low.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Insufficient Entropy
 
 
WASC 11
 
Brute Force
 
 

References:

  1. John Viega Gary McGraw .Building Secure Software: How to Avoid Security Problems the Right Way 1st Edition. Addison-Wesley. Published on 2002.

© 2013 SecPod Technologies