Insufficient Entropy in PRNG

From Guidance Share

Jump to: navigation, search

Contents

Description

The lack of entropy available for, or used by, a pseudo-random number genenrator (PRNG) can be a stability and security threat.


Applies To

  • Languages: Any
  • Operating platforms: Any


Example

Impact

  • Availability: If a pseudo-random number generator (PRNG) is using a limited entropy source which runs out (if the generator fails closed), the program may pause or crash.
  • Authentication: If a PRNG is using a limited entropy source the generator could produce predictable random numbers. A weak source of random numbers could weaken the encryption method used for authentication of users.


Vulnerabilities

  • Failure to account for a PRNG running out of random numbers.


Countermeasures

  • Implementation: Use cryptographically strong random number generators.


Vulnerability Patterns


How Tos

Personal tools