Insufficient Entropy

Draft Base

Structure: Simple

Description

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

Common Consequences 1

Scope: Access ControlOther

Impact: Bypass Protection MechanismOther

An attacker could guess the random numbers generated and could gain unauthorized access to a system if the random numbers are used for authentication and authorization.

Potential Mitigations 1

Phase: Implementation

Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.

Demonstrative Examples 2

ID : DX-45

This code generates a unique random identifier for a user's session.

Code Example:Bad
PHP
php

Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.

This example also exhibits a Small Seed Space (Small Seed Space in PRNG).

ID : DX-46

The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.

Code Example:Bad
Java
java

This code uses the Random.nextInt() function to generate "unique" identifiers for the receipt pages it generates. Because Random.nextInt() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG.

Observed Examples 2

CVE-2001-0950Insufficiently random data used to generate session tokens using C rand(). Also, for certificate/key generation, uses a source that does not block when entropy is low.

CVE-2008-2108Chain: insufficient precision (Insufficient Precision or Accuracy of a Real Number) in random-number generator causes some zero bits to be reliably generated, reducing the amount of entropy (Insufficient Entropy)

References 1

Building Secure Software: How to Avoid Security Problems the Right Way

John Viega and Gary McGraw

Addison-Wesley

2002

ID: REF-207

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Implementation

Related Attack Patterns

59
Improper Link Resolution Before File Access ('Link Following')

Related Weaknesses

ChildOf:

Use of Insufficiently Random Values (CWE-330)

ChildOf:

Use of Insufficiently Random Values (CWE-330)

Taxonomy Mapping

PLOVER
WASC
CERT C Secure Coding

Notes

MaintenanceAs of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, "randomness" is used heavily. However, within cryptography, "entropy" is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.