|
|
|
|
CWE-333: Improper Handling of Insufficient Entropy in TRNG | |
| | Improper Handling of Insufficient Entropy in TRNG |
|
| Weakness ID: 333 (Weakness Variant) | | Status: Draft |
 Description
Description Summary True random number generators (TRNG) generally have a limited
source of entropy and therefore can fail or block.
Extended Description
The rate at which true random numbers can be generated is limited. It is
important that one uses them only when they are needed for security.
Time of Introduction
- Architecture and Design
- Implementation
Common Consequences | Scope | Effect |
|---|
Availability | A program may crash or block if it runs out of random numbers. |
Likelihood of Exploit Demonstrative Examples Example 1 (Bad Code) C while (1){
if (connection){
if (hwRandom()){
}
else (hwRandom()) {
}
}
Potential Mitigations | Phase | Description |
|---|
Implementation | Rather than failing on a lack of random numbers, it is often
preferable to wait for more numbers to be created. |
Relationships Taxonomy Mappings | Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
|---|
| CLASP | | | Failure of TRNG |
Content History | Submissions |
|---|
| Submission Date | Submitter | Organization | Source |
|---|
| CLASP | | Externally Mined | | | Modifications |
|---|
| Modification Date | Modifier | Organization | Source |
|---|
| 2008-07-01 | Eric Dalci | Cigital | External | | updated Time of Introduction | | 2008-09-08 | CWE Content Team | MITRE | Internal | | updated Common Consequences, Relationships, Other Notes,
Taxonomy Mappings | | 2009-05-27 | CWE Content Team | MITRE | Internal | | updated Description, Name | | 2009-10-29 | CWE Content Team | MITRE | Internal | | updated Description, Other Notes |
|
