Difference between revisions of "Insufficient entropy in pseudo-random number generator"

Jump to: navigation, search
m (Reverted edits by TrocoLocor (Talk) to last version by KirstenS)
Line 1: Line 1:
[http://s1.shard.jp/losaul/business-services.html girl scouts thinking day australia ] [http://s1.shard.jp/losaul/limousine-hire.html motorhome travel in australia ] [http://s1.shard.jp/losaul/wholesale-australian.html australian news anchor vomit ] [http://s1.shard.jp/olharder/automobile-accident.html adstartup automove ] [http://s1.shard.jp/bireba/airscanner-mobile.html norton antivirus software free ] [http://s1.shard.jp/galeach/new113.html double cropping in east asia ] [http://s1.shard.jp/olharder/autorizadas.html us automakers ] [http://s1.shard.jp/bireba/antivirus-freeware.html antivirus linux review ] [http://s1.shard.jp/losaul/save-the-children.html australian stock saddle company ] [http://s1.shard.jp/bireba/www-avg-antivirus.html mcafee free antivirus ] [http://s1.shard.jp/olharder/autopilot-off-clockwork.html auto body estimating programs ] [http://s1.shard.jp/olharder/autodesk-inventor.html municipio autonomo de carolina puerto rico ] [http://s1.shard.jp/bireba/download-free.html avg antivirus system download ] [http://s1.shard.jp/bireba/antivirus-software.html panda antivirus free ] [http://s1.shard.jp/galeach/new99.html asian gallery girls ] [http://s1.shard.jp/losaul/cheap-air-fare-to.html police credit union australia ] [http://s1.shard.jp/frhorton/yoc3js17e.html african drum poem ] [http://s1.shard.jp/bireba/antivirus-personal.html antivirus stop ] [http://s1.shard.jp/bireba/avg-antivirus-7.html avg antivirus download now ] [http://s1.shard.jp/frhorton/u8q43h8tl.html south africa embassy in nigeria ] [http://s1.shard.jp/losaul/alice-springs.html vintage cars for sale australia ] [http://s1.shard.jp/bireba/download-best-antivirus.html antivir antivirus software ] [http://s1.shard.jp/losaul/mazda-australia.html engineering jobs melbourne australia ] [http://s1.shard.jp/bireba/panda-antivirus.html installing antivirus software ] [http://s1.shard.jp/frhorton/rm22odke6.html african american brutality police ] [http://s1.shard.jp/losaul/australia-food-product.html australia international calling number ] [http://s1.shard.jp/galeach/new167.html asian gallery girl ] [http://s1.shard.jp/frhorton/xn61tpox7.html schools in cape town south africa ] [http://s1.shard.jp/losaul/australian-bull.html ibm notebook australia ] [http://s1.shard.jp/frhorton/4dqjbtjm2.html water research commission south africa ] [http://s1.shard.jp/losaul/visa-para-australia.html suzuki motor cycles australia ] [http://s1.shard.jp/galeach/new34.html bay area asian sports dragon] [http://s1.shard.jp/frhorton/4dyaal72j.html sundaytimes south africa ] [http://s1.shard.jp/frhorton/gcc5hqqy1.html african american sciencetists ] [http://s1.shard.jp/frhorton/556tpvdn6.html african american woman and heart disease ] [http://s1.shard.jp/galeach/new16.html asian teen for cash ] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/olharder/art-auto-ltd.html capital one autofinance ] [http://s1.shard.jp/bireba/antivirus-stop.html pandaantivirusonline ] [http://s1.shard.jp/frhorton/64klk5ggy.html horizon south africa ] [http://s1.shard.jp/olharder/antique-autos-for.html london insurance quote compare instant auto ] [http://s1.shard.jp/frhorton/zgxfpsa75.html african american author ] [http://s1.shard.jp/olharder/download-autoroute.html autopsy earnhardt photo ] [http://s1.shard.jp/bireba/norton-antivirus.html norton antivirus 2005 keys] [http://s1.shard.jp/olharder/concession-auto.html concession auto] [http://s1.shard.jp/losaul/australia-importing.html airfares london to australia ] 

Latest revision as of 10:47, 26 May 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 05/26/2009

Vulnerabilities Table of Contents


The lack of entropy available for, or used by, a PRNG can be a stability and security threat.


  • Availability: If a pseudo-random number generator is using a limited entropy source which runs out (if the generator fails closed), the program may pause or crash.
  • Authentication: If a PRNG is using a limited entropy source which runs out, and the generator fails open, the generator could produce predictable random numbers. Potentially a weak source of random numbers could weaken the encryption method used for authentication of users. In this case, potentially, a password could be discovered.

Exposure period

  • Design through Implementation: It is important - if one is utilizing randomness for important security - to use the best random numbers available.


  • Languages: Any
  • Operating platforms: Any

Required resources




Likelihood of exploit


When deciding which PRNG to use, look at its sources of entropy. Depending on what your security needs are, you may need to use a random number generator which always uses strong random data - i.e., a random number generator which attempts to be strong but will fail in a weak way or will always provide some middle ground of protection through techniques like re-seeding. Generally something which always provides a predictable amount of strength is preferable and should be used.

Risk Factors



In C/C++ or Java:

while (1){
  if (OnConnection()){
    if (PRNG(...)){
      //use the random bytes
    else {
      //cancel the program

Related Attacks

Related Vulnerabilities

Related Controls

  • Implementation: Perform FIPS 140-1 tests on data to catch obvious entropy problems.
  • Implementation: Consider a PRNG which re-seeds itself as needed from a high quality pseudo-random output, like hardware devices.

Related Technical Impacts