CWE

Improper Handling of Insufficient Entropy in TRNG

ID: 333		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: DRAFT
Abstraction Type: Variant

Description

True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.

Extended Description

The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security.

Likelihood of Exploit: Low to Medium

Applicable Platforms
Language Class: All

Time Of Introduction

• Architecture and Design
• Implementation

Common Consequences

Scope	Technical Impact	Notes
Availability	DoS: crash / exit / restart	A program may crash or block if it runs out of random numbers.

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
Implementation		Rather than failing on a lack of random numbers, it is often preferable to wait for more numbers to be created.

Relationships

Related CWE	Type	View	Chain
CWE-333 ChildOf CWE-905	Category	CWE-888

Demonstrative Examples   (Details)

1. This code uses a TRNG to generate a unique session id for new connections to a server:

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
CLASP		Failure of TRNG
CERT Java Secure Coding	MSC02-J	Generate strong random numbers

References:
None