Difference between revisions of "Insufficient Entropy"

From OWASP
Jump to: navigation, search
(Description: added entropy link)
(Reverting to last version not containing links to s1.shard.jp)
 
(19 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
{{Template:Stub}}
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}
 +
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 +
 +
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
 
==Description==
 
==Description==
  
When an undesirably low amount of [[entropy]] is available. Psuedo Random Number Generators are susceptible to suffering from insufficient entropy when they are initialized because entropy data may not be available to them yet.
+
When an undesirably low amount of entropy is available. Psuedo Random Number Generators are susceptible to suffering from insufficient entropy when they are initialized, because entropy data may not be available to them yet.
  
==Examples ==
+
==Risk Factors==
  
==Related Threats==
+
TBD
  
In many cases a PRNG uses a combination of the system clock and entropy to create seed data. In the case where insufficient entropy is available, an attacker can reduce the size magnitude of the seed value considerably. Furthermore, by guessing values of the system clock, they can create a manageable set of possible PRNG outputs.
+
==Examples==
  
==Related Attacks==
+
TBD
  
==Related Vulnerabilities==
+
==Related [[Attacks]]==
  
==Related Countermeasures==
+
* In many case,s a PRNG uses a combination of the system clock and entropy to create seed data. If insufficient entropy is available, an attacker can reduce the size magnitude of the seed value considerably. Furthermore, by guessing values of the system clock, they can create a manageable set of possible PRNG outputs.
  
[[:Category:Cryptography]]
+
==Related [[Vulnerabilities]]==
  
==Categories==
+
* [[Vulnerability 1]]
 +
* [[Vulnerabiltiy 2]]
 +
 
 +
 
 +
==Related [[Controls]]==
 +
 
 +
* Many PRNG's (/dev/random and /dev/urandom for example) store their last value before shutdown. By using this value at intialization, they can sometimes avoid insufficient or predictable starting entropy.
 +
 
 +
==Related [[Technical Impacts]]==
 +
 
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 
 +
 
 +
==References==
 +
 
 +
TBD
 +
 
 +
 
 +
__NOTOC__
  
{{Template:Stub}}
 
  
 +
[[Category:OWASP ASDR Project]]
 +
[[Category:Cryptography]]
 
[[Category:Cryptographic Vulnerability]]
 
[[Category:Cryptographic Vulnerability]]
 +
[[Category:Vulnerability]]

Latest revision as of 07:50, 3 June 2009

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.


This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Last revision (mm/dd/yy): 06/3/2009

Vulnerabilities Table of Contents

Description

When an undesirably low amount of entropy is available. Psuedo Random Number Generators are susceptible to suffering from insufficient entropy when they are initialized, because entropy data may not be available to them yet.

Risk Factors

TBD

Examples

TBD

Related Attacks

  • In many case,s a PRNG uses a combination of the system clock and entropy to create seed data. If insufficient entropy is available, an attacker can reduce the size magnitude of the seed value considerably. Furthermore, by guessing values of the system clock, they can create a manageable set of possible PRNG outputs.

Related Vulnerabilities


Related Controls

  • Many PRNG's (/dev/random and /dev/urandom for example) store their last value before shutdown. By using this value at intialization, they can sometimes avoid insufficient or predictable starting entropy.

Related Technical Impacts


References

TBD