CWE-336

Same Seed in Pseudo-Random Number Generator (PRNG)

AI Translation Available

A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.

Status

draft

Abstraction

variant

Affected Platforms

Extended Description

AI Translation

Given the deterministic nature of PRNGs, using the same seed for each initialization will lead to the same output in the same order. If an attacker can guess (or knows) the seed, then the attacker may be able to determine the random numbers that will be produced from the PRNG.

Technical Details

AI Translation

Common Consequences

other access control

Impacts

other bypass protection mechanism

Detection Methods

automated static analysis

Potential Mitigations

Phases:

architecture and design requirements

Descriptions:

• Do not reuse PRNG seeds. Consider a PRNG that periodically re-seeds itself as needed from a high quality pseudo-random output, such as hardware devices.

• Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.

AI Generated Translation

Common Consequences

altro controllo degli accessi

Impacts

altro elusione del meccanismo di protezione

Detection Methods

analisi statica automatizzata

Potential Mitigations

Phases:

architettura e design requisiti

Descriptions:

• Non riutilizzare i semi PRNG. Considera un PRNG che si ri-seed periodicamente secondo necessità da un output pseudo-casuale di alta qualità, come dispositivi hardware.

• Utilizzare prodotti o moduli conformi a FIPS 140-2 [REF-267] per evitare problemi evidenti di entropia, oppure utilizzare, se possibile, le più recenti FIPS 140-3 [REF-1192].

CWE-336

Common Consequences

Impacts

Detection Methods

Potential Mitigations

Common Consequences

Impacts

Detection Methods

Potential Mitigations

Iscriviti alla newsletter