CWE-338 使用具有密码学弱点缺陷的PRNG

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: Medium

基本描述

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

扩展描述

When a non-cryptographic PRNG is used in a cryptographic context, it can expose the cryptography to certain types of attacks.

Often a pseudo-random number generator (PRNG) is not designed for cryptography. Sometimes a mediocre source of randomness is sufficient or preferable for algorithms that use random numbers. Weak generators generally take less processing power and/or do not use the precious, finite, entropy sources on a system. While such PRNGs might have very useful features, these same features could be used to break the cryptography.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 330 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 330 cwe_View_ID: 1003 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 330 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Access Control Bypass Protection Mechanism If a PRNG is used for authentication and authorization, such as a session ID or a seed for generating a cryptographic key, then an attacker may be able to easily guess the ID or cryptographic key and gain access to restricted functionality.

可能的缓解方案

Implementation

策略:

Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.

示例代码

Both of these examples use a statistical PRNG to generate a random number:

bad Java

Random random = new Random(System.currentTimeMillis());
int accountID = random.nextInt();

bad C

srand(time());
int randNum = rand();

The random number functions used in these examples, rand() and Random.nextInt(), are not considered cryptographically strong. An attacker may be able to predict the random numbers generated by these functions. Note that these example also exhibit CWE-337 (Predictable Seed in PRNG).

分析过的案例

标识 说明 链接
CVE-2009-3278 Crypto product uses rand() library function to generate a recovery key, making it easier to conduct brute force attacks. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3278
CVE-2009-3238 Random number generator can repeatedly generate the same value. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3238
CVE-2009-2367 Web application generates predictable session IDs, allowing session hijacking. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2367
CVE-2008-0166 SSL library uses a weak random number generator that only generates 65,536 unique keys. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Non-cryptographic PRNG
CERT C Secure Coding MSC30-C CWE More Abstract Do not use the rand() function for generating pseudorandom numbers

引用