Failure of true random number generator

From OWASP

Jump to: navigation, search

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 3/6/2009

Vulnerabilities Table of Contents

Description

True random number generators generally have a limited source of entropy and therefore can fail or block.

Consequences

Availability: A program may crash or block if it runs out of random numbers.

Exposure period

Requirements specification: Choose an operating system which is aggressive and effective at generating true random numbers.
Implementation: This type of failure is a logical flaw which can be exacerbated by a lack of or the misuse of mitigating technologies.

Platform

Languages: Any
Operating platforms: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Low to Medium

The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security.

Risk Factors

TBA

Examples

In C:

while (1){
  if (connection){
    if (hwRandom()){
      //use the random bytes
    }
    else (hwRandom()) {
      //cancel the program
  } 
}

Related Attacks

Related Vulnerabilities

Related Controls

Implementation: Rather than failing on a lack of random numbers, it is often preferable to wait for more numbers to be created.

Related Technical Impacts

References

TBD

Retrieved from "http://www.owasp.org/index.php/Failure_of_true_random_number_generator"

Categories: OWASP ASDR Project | Vulnerability | FIXME: can this be combined with the Insufficient Entropy article? | FIXME | Environmental Vulnerability | OWASP CLASP Project

Views

Personal tools

Log in

search

Reference

Language

Toolbox