CWE-338 使用具有密码学弱点缺陷的PRNG
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: Medium
基本描述
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
扩展描述
When a non-cryptographic PRNG is used in a cryptographic context, it can expose the cryptography to certain types of attacks.
Often a pseudo-random number generator (PRNG) is not designed for cryptography. Sometimes a mediocre source of randomness is sufficient or preferable for algorithms that use random numbers. Weak generators generally take less processing power and/or do not use the precious, finite, entropy sources on a system. While such PRNGs might have very useful features, these same features could be used to break the cryptography.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 330 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 330 cwe_View_ID: 1003 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 330 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Access Control | Bypass Protection Mechanism | If a PRNG is used for authentication and authorization, such as a session ID or a seed for generating a cryptographic key, then an attacker may be able to easily guess the ID or cryptographic key and gain access to restricted functionality. |
可能的缓解方案
Implementation
策略:
Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.
示例代码
例
Both of these examples use a statistical PRNG to generate a random number:
bad Java
int accountID = random.nextInt();
bad C
int randNum = rand();
The random number functions used in these examples, rand() and Random.nextInt(), are not considered cryptographically strong. An attacker may be able to predict the random numbers generated by these functions. Note that these example also exhibit CWE-337 (Predictable Seed in PRNG).
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2009-3278 | Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3278 |
| CVE-2009-3238 | Random number generator can repeatedly generate the same value. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3238 |
| CVE-2009-2367 | Web application generates predictable session IDs, allowing session hijacking. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2367 |
| CVE-2008-0166 | SSL library uses a weak random number generator that only generates 65,536 unique keys. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166 |
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CLASP | Non-cryptographic PRNG | ||
| CERT C Secure Coding | MSC30-C | CWE More Abstract | Do not use the rand() function for generating pseudorandom numbers |