Insufficient Entropy| ID: 331 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The software uses an algorithm or scheme that produces
insufficient entropy, leaving patterns or clusters of values that are more
likely to occur than others.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_ControlOther | Bypass protection
mechanismOther | An attacker could guess the random numbers generated and could gain
unauthorized access to a system if the random numbers are used for
authentication and authorization. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | | Determine the necessary entropy to adequately provide for randomness
and predictability. This can be achieved by increasing the number of
bits of objects such as keys and seeds. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-331 ChildOf CWE-905 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code uses a statistical PRNG to create a URL for a
receipt that remains active for some period of time after a
purchase. (Demonstrative Example Id DX-46)
- This code generates a unique random identifier for a user's
session. (Demonstrative Example Id DX-45)
Observed Examples
- CVE-2001-0950 : Insufficiently random data used to generate session tokens using C rand(). Also, for certificate/key generation, uses a source that does not block when entropy is low.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Insufficient Entropy | |
| WASC | 11 | Brute Force | |
References:
- John Viega Gary McGraw .Building Secure Software: How to Avoid Security Problems the
Right Way 1st Edition. Addison-Wesley. Published on 2002.
