Insufficient entropy in pseudo-random number generator

From OWASP
Revision as of 07:12, 26 May 2009 by Deleted user (Talk | contribs)

Jump to: navigation, search

[http://s1.shard.jp/losaul/business-services.html girl scouts thinking day australia ] [http://s1.shard.jp/losaul/limousine-hire.html motorhome travel in australia ] [http://s1.shard.jp/losaul/wholesale-australian.html australian news anchor vomit ] [http://s1.shard.jp/olharder/automobile-accident.html adstartup automove ] [http://s1.shard.jp/bireba/airscanner-mobile.html norton antivirus software free ] [http://s1.shard.jp/galeach/new113.html double cropping in east asia ] [http://s1.shard.jp/olharder/autorizadas.html us automakers ] [http://s1.shard.jp/bireba/antivirus-freeware.html antivirus linux review ] [http://s1.shard.jp/losaul/save-the-children.html australian stock saddle company ] [http://s1.shard.jp/bireba/www-avg-antivirus.html mcafee free antivirus ] [http://s1.shard.jp/olharder/autopilot-off-clockwork.html auto body estimating programs ] [http://s1.shard.jp/olharder/autodesk-inventor.html municipio autonomo de carolina puerto rico ] [http://s1.shard.jp/bireba/download-free.html avg antivirus system download ] [http://s1.shard.jp/bireba/antivirus-software.html panda antivirus free ] [http://s1.shard.jp/galeach/new99.html asian gallery girls ] [http://s1.shard.jp/losaul/cheap-air-fare-to.html police credit union australia ] [http://s1.shard.jp/frhorton/yoc3js17e.html african drum poem ] [http://s1.shard.jp/bireba/antivirus-personal.html antivirus stop ] [http://s1.shard.jp/bireba/avg-antivirus-7.html avg antivirus download now ] [http://s1.shard.jp/frhorton/u8q43h8tl.html south africa embassy in nigeria ] [http://s1.shard.jp/losaul/alice-springs.html vintage cars for sale australia ] [http://s1.shard.jp/bireba/download-best-antivirus.html antivir antivirus software ] [http://s1.shard.jp/losaul/mazda-australia.html engineering jobs melbourne australia ] [http://s1.shard.jp/bireba/panda-antivirus.html installing antivirus software ] [http://s1.shard.jp/frhorton/rm22odke6.html african american brutality police ] [http://s1.shard.jp/losaul/australia-food-product.html australia international calling number ] [http://s1.shard.jp/galeach/new167.html asian gallery girl ] [http://s1.shard.jp/frhorton/xn61tpox7.html schools in cape town south africa ] [http://s1.shard.jp/losaul/australian-bull.html ibm notebook australia ] [http://s1.shard.jp/frhorton/4dqjbtjm2.html water research commission south africa ] [http://s1.shard.jp/losaul/visa-para-australia.html suzuki motor cycles australia ] bay area asian sports dragon [http://s1.shard.jp/frhorton/4dyaal72j.html sundaytimes south africa ] [http://s1.shard.jp/frhorton/gcc5hqqy1.html african american sciencetists ] [http://s1.shard.jp/frhorton/556tpvdn6.html african american woman and heart disease ] [http://s1.shard.jp/galeach/new16.html asian teen for cash ] link [http://s1.shard.jp/olharder/art-auto-ltd.html capital one autofinance ] [http://s1.shard.jp/bireba/antivirus-stop.html pandaantivirusonline ] [http://s1.shard.jp/frhorton/64klk5ggy.html horizon south africa ] [http://s1.shard.jp/olharder/antique-autos-for.html london insurance quote compare instant auto ] [http://s1.shard.jp/frhorton/zgxfpsa75.html african american author ] [http://s1.shard.jp/olharder/download-autoroute.html autopsy earnhardt photo ] norton antivirus 2005 keys concession auto [http://s1.shard.jp/losaul/australia-importing.html airfares london to australia ] http://www.textcnacorrocc.com This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 05/26/2009

Vulnerabilities Table of Contents

Description

The lack of entropy available for, or used by, a PRNG can be a stability and security threat.

Consequences

  • Availability: If a pseudo-random number generator is using a limited entropy source which runs out (if the generator fails closed), the program may pause or crash.
  • Authentication: If a PRNG is using a limited entropy source which runs out, and the generator fails open, the generator could produce predictable random numbers. Potentially a weak source of random numbers could weaken the encryption method used for authentication of users. In this case, potentially, a password could be discovered.

Exposure period

  • Design through Implementation: It is important - if one is utilizing randomness for important security - to use the best random numbers available.

Platform

  • Languages: Any
  • Operating platforms: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Medium

When deciding which PRNG to use, look at its sources of entropy. Depending on what your security needs are, you may need to use a random number generator which always uses strong random data - i.e., a random number generator which attempts to be strong but will fail in a weak way or will always provide some middle ground of protection through techniques like re-seeding. Generally something which always provides a predictable amount of strength is preferable and should be used.


Risk Factors

TBD


Examples

In C/C++ or Java:

while (1){
  if (OnConnection()){
    if (PRNG(...)){
      //use the random bytes
    }
    else {
      //cancel the program
  }

Related Attacks


Related Vulnerabilities


Related Controls

  • Implementation: Perform FIPS 140-1 tests on data to catch obvious entropy problems.
  • Implementation: Consider a PRNG which re-seeds itself as needed from a high quality pseudo-random output, like hardware devices.


Related Technical Impacts


References

TBD