CWE - 330 : Use of Insufficiently Random Values
CWE Definition
|
http://cwe.mitre.org/data/definitions/330.html
|
Number of vulnerabilities:
|
42
|
Description
|
The software may use insufficiently random numbers or values in
a security context that depends on unpredictable numbers.When software generates predictable values in a context requiring
unpredictability, it may be possible for an attacker to guess the next value
that will be generated, and use this guess to impersonate another user or
access sensitive information. |
Background Details
|
Computers are deterministic machines, and as such are unable to produce
true randomness. Pseudo-Random Number Generators (PRNGs) approximate
randomness algorithmically, starting with a seed from which subsequent
values are calculated. There are two types of PRNGs: statistical and
cryptographic. Statistical PRNGs provide useful statistical properties, but
their output is highly predictable and forms an easy to reproduce numeric
stream that is unsuitable for use in cases where security depends on
generated values being unpredictable. Cryptographic PRNGs address this
problem by generating output that is more difficult to predict. For a value
to be cryptographically secure, it must be impossible or highly improbable
for an attacker to distinguish between it and a truly random value. |
Other Notes
|
|
|
|
Warning! CWE definitions are provided as a quick reference. They are
not complete and may not be up to date!
You must visit
http://cwe.mitre.org/ for a complete list of CWE entries
and for more details.