CWE-333 TRNG不充分信息熵的处理不恰当
Improper Handling of Insufficient Entropy in TRNG
结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: Low
基本描述
True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.
扩展描述
The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 331 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 331 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 703 cwe_View_ID: 1000
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Availability | DoS: Crash, Exit, or Restart | A program may crash or block if it runs out of random numbers. |
可能的缓解方案
Implementation
策略:
Rather than failing on a lack of random numbers, it is often preferable to wait for more numbers to be created.
示例代码
例
This code uses a TRNG to generate a unique session id for new connections to a server:
bad C
createNewConnection(sessionID);
This code does not attempt to limit the number of new connections or make sure the TRNG can successfully generate a new random number. An attacker may be able to create many new connections and exhaust the entropy of the TRNG. The TRNG may then block and cause the program to crash or hang.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CLASP | Failure of TRNG | ||
| The CERT Oracle Secure Coding Standard for Java (2011) | MSC02-J | Generate strong random numbers |