CWE-333: Improper Handling of Insufficient Entropy in TRNG

Description

True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security.

Example Vulnerable Codes

Example - 1

This code uses a TRNG to generate a unique session id for new connections to a server:


int sessionID = hwRandom();createNewConnection(sessionID);if (hwRandom()){} } }if (haveNewConnection()){while (1){

This code does not attempt to limit the number of new connections or make sure the TRNG can successfully generate a new random number. An attacker may be able to create many new connections and exhaust the entropy of the TRNG. The TRNG may then block and cause the program to crash or hang.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-331: Insufficient Entropy
Go to
CWE-703: Improper Check or Handling of Exceptional Conditions
Go to

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Nov. 22, 2024 1:44