logo

Small Seed Space in PRNG

Draft Variant
Structure: Simple
Description

A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.

Extended Description

PRNGs are entirely deterministic once seeded, so it should be extremely difficult to guess the seed. If an attacker can collect the outputs of a PRNG and then brute force the seed by trying every possibility to see which seed matches the observed output, then the attacker will know the output of any subsequent calls to the PRNG. A small seed space implies that the attacker will have far fewer possible values to try to exhaust all possibilities.
Common Consequences 1
Scope: Other

Impact: Varies by Context
Potential Mitigations 2
Phase: Architecture and Design
Use well vetted pseudo-random number generating algorithms with adequate length seeds. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number.
Phase: Architecture and DesignRequirements

Strategy: Libraries or Frameworks

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.
Demonstrative Examples 1

ID : DX-178

This code grabs some random bytes and uses them for a seed in a PRNG, in order to generate a new cryptographic key.

Code Example:

Bad
Python


getting 2 bytes of randomness for the seeding the PRNG *


python
Since only 2 bytes are used as a seed, an attacker will only need to guess 2^16 (65,536) values before being able to replicate the state of the PRNG.
  
Observed Examples 1
CVE-2019-10908product generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has only a 48-bit seed.
  
References 2
FIPS PUB 140-2: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
Information Technology Laboratory, National Institute of Standards and Technology
25-05-2001
https://csrc.nist.gov/files/pubs/fips/140-2/upd2/final/docs/fips1402.pdf(2025-05-21)
ID: REF-267
FIPS PUB 140-3: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
Information Technology Laboratory, National Institute of Standards and Technology
22-03-2019
https://csrc.nist.gov/publications/detail/fips/140/3/final
ID: REF-1192
 
  
    
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Not Language-Specific : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Implementation  
 
 
 
          
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) (CWE-335) 
  PeerOf:
 Predictable from Observable State (CWE-341) 
 
 
 
 
Taxonomy Mapping 
  • PLOVER
  
Notes 
MaintenanceThis entry may have a chaining relationship with predictable from observable state (Predictable from Observable State).
MaintenanceAs of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, "randomness" is used heavily. However, within cryptography, "entropy" is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.