Difference between revisions of "Failure of true random number generator"

From OWASP
Jump to: navigation, search
 
 
(9 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 
+
{{Template:Vulnerability}}
 
+
 
{{Template:SecureSoftware}}
 
{{Template:SecureSoftware}}
  
==Overview==
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
True random number generators generally have a limited source of entropy and therefore can fail or block.
+
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
==Consequences ==
+
[[category:FIXME: can this be combined with the Insufficient Entropy article?]]
  
* Availability: A program may crash or block if it runs out of random numbers.
+
==Description==
  
==Exposure period ==
+
True random number generators generally have a limited source of entropy and therefore can fail or block.
  
* Requirements specification: Choose an operating system which is aggressive and effective at generating true random numbers.
+
'''Consequences'''
  
* Implementation: This type of failure is a logical flaw which can be exacerbated by a lack of or the misuse of mitigating technologies.
+
* Availability: A program may crash or block if it runs out of random numbers.
  
==Platform ==
+
'''Exposure period'''
  
* Languages: Any
+
* Requirements specification: Choose an operating system which is aggressive and effective at generating true random numbers.
 +
* Implementation: This type of failure is a logical flaw which can be exacerbated by a lack of or the misuse of mitigating technologies.
  
* Operating platforms: Any
+
'''Platform'''
  
==Required resources ==
+
* Languages: Any
 +
* Operating platforms: Any
 +
 
 +
'''Required resources'''
  
 
Any
 
Any
  
==Severity ==
+
'''Severity'''
  
 
Medium
 
Medium
  
==Likelihood   of exploit ==
+
'''Likelihood of exploit'''
  
 
Low to Medium
 
Low to Medium
  
==Avoidance and mitigation ==
+
The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security.
  
* Implementation: Rather than failing on a lack of random numbers, it is often preferable to wait for more numbers to be created.
 
  
==Discussion ==
+
==Risk Factors==
  
The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security.
+
TBA
  
==Examples ==
+
==Examples==
  
 
In C:
 
In C:
  
 +
<pre>
 
while (1){
 
while (1){
 
   if (connection){
 
   if (connection){
Line 55: Line 58:
 
       //cancel the program
 
       //cancel the program
 
   }  
 
   }  
}
+
}
==Related problems ==
+
</pre>
  
Not available.
 
  
==Categories ==
+
==Related [[Attacks]]==
  
[[Category:Vulnerability]]
+
* [[Attack 1]]
 +
* [[Attack 2]]
  
[[Category:Environmental Problem]]
+
 
 +
==Related [[Vulnerabilities]]==
 +
 
 +
* [[Vulnerability 1]]
 +
* [[Vulnerabiltiy 2]]
 +
 
 +
 
 +
==Related [[Controls]]==
 +
 
 +
* Implementation: Rather than failing on a lack of random numbers, it is often preferable to wait for more numbers to be created.
 +
 
 +
 
 +
 
 +
==Related [[Technical Impacts]]==
 +
 
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 
 +
 
 +
==References==
 +
TBD
 +
 
 +
[[Category:FIXME|add links
 +
 
 +
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
 +
 
 +
Availability Vulnerability
 +
 
 +
Authorization Vulnerability
 +
 
 +
Authentication Vulnerability
 +
 
 +
Concurrency Vulnerability
 +
 
 +
Configuration Vulnerability
 +
 
 +
Cryptographic Vulnerability
 +
 
 +
Encoding Vulnerability
 +
 
 +
Error Handling Vulnerability
 +
 
 +
Input Validation Vulnerability
 +
 
 +
Logging and Auditing Vulnerability
 +
 
 +
Session Management Vulnerability]]
 +
 
 +
__NOTOC__
 +
 
 +
 
 +
[[Category:OWASP ASDR Project]]
 +
[[Category:Vulnerability]]
 +
[[Category:Environmental Vulnerability]]
 +
[[Category:OWASP_CLASP_Project]]

Latest revision as of 08:02, 6 March 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.



Last revision (mm/dd/yy): 03/6/2009

Vulnerabilities Table of Contents

Description

True random number generators generally have a limited source of entropy and therefore can fail or block.

Consequences

  • Availability: A program may crash or block if it runs out of random numbers.

Exposure period

  • Requirements specification: Choose an operating system which is aggressive and effective at generating true random numbers.
  • Implementation: This type of failure is a logical flaw which can be exacerbated by a lack of or the misuse of mitigating technologies.

Platform

  • Languages: Any
  • Operating platforms: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Low to Medium

The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security.


Risk Factors

TBA

Examples

In C:

while (1){
  if (connection){
    if (hwRandom()){
      //use the random bytes
    }
    else (hwRandom()) {
      //cancel the program
  } 
}


Related Attacks


Related Vulnerabilities


Related Controls

  • Implementation: Rather than failing on a lack of random numbers, it is often preferable to wait for more numbers to be created.


Related Technical Impacts


References

TBD