Insufficient entropy in pseudo-random number generator

Revision as of 07:12, 26 May 2009 by Deleted user (Talk | contribs)

Jump to: navigation, search

[ girl scouts thinking day australia ] [ motorhome travel in australia ] [ australian news anchor vomit ] [ adstartup automove ] [ norton antivirus software free ] [ double cropping in east asia ] [ us automakers ] [ antivirus linux review ] [ australian stock saddle company ] [ mcafee free antivirus ] [ auto body estimating programs ] [ municipio autonomo de carolina puerto rico ] [ avg antivirus system download ] [ panda antivirus free ] [ asian gallery girls ] [ police credit union australia ] [ african drum poem ] [ antivirus stop ] [ avg antivirus download now ] [ south africa embassy in nigeria ] [ vintage cars for sale australia ] [ antivir antivirus software ] [ engineering jobs melbourne australia ] [ installing antivirus software ] [ african american brutality police ] [ australia international calling number ] [ asian gallery girl ] [ schools in cape town south africa ] [ ibm notebook australia ] [ water research commission south africa ] [ suzuki motor cycles australia ] bay area asian sports dragon [ sundaytimes south africa ] [ african american sciencetists ] [ african american woman and heart disease ] [ asian teen for cash ] link [ capital one autofinance ] [ pandaantivirusonline ] [ horizon south africa ] [ london insurance quote compare instant auto ] [ african american author ] [ autopsy earnhardt photo ] norton antivirus 2005 keys concession auto [ airfares london to australia ] This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 05/26/2009

Vulnerabilities Table of Contents


The lack of entropy available for, or used by, a PRNG can be a stability and security threat.


  • Availability: If a pseudo-random number generator is using a limited entropy source which runs out (if the generator fails closed), the program may pause or crash.
  • Authentication: If a PRNG is using a limited entropy source which runs out, and the generator fails open, the generator could produce predictable random numbers. Potentially a weak source of random numbers could weaken the encryption method used for authentication of users. In this case, potentially, a password could be discovered.

Exposure period

  • Design through Implementation: It is important - if one is utilizing randomness for important security - to use the best random numbers available.


  • Languages: Any
  • Operating platforms: Any

Required resources




Likelihood of exploit


When deciding which PRNG to use, look at its sources of entropy. Depending on what your security needs are, you may need to use a random number generator which always uses strong random data - i.e., a random number generator which attempts to be strong but will fail in a weak way or will always provide some middle ground of protection through techniques like re-seeding. Generally something which always provides a predictable amount of strength is preferable and should be used.

Risk Factors



In C/C++ or Java:

while (1){
  if (OnConnection()){
    if (PRNG(...)){
      //use the random bytes
    else {
      //cancel the program

Related Attacks

Related Vulnerabilities

Related Controls

  • Implementation: Perform FIPS 140-1 tests on data to catch obvious entropy problems.
  • Implementation: Consider a PRNG which re-seeds itself as needed from a high quality pseudo-random output, like hardware devices.

Related Technical Impacts