Support
Eng
òÕÓ
Company
Home
Services
Solutions
Documentation
News and Events
 
 
 
Knowledgebase
Downloads
Glossary
Ask a Question
Search:     Advanced search
SHALB.com / Security Knowledgebase / Web Application Security / Vulnerability / Environmental Vulnerability / Failure of true random number generator
server monitoring

Failure of true random number generator
Article ID: 139
Last updated: 08 May, 2008
Print
Email to friend
Views: 242
Posted: 08 May, 2008
by: Tech Pubs S.
Updated: 08 May, 2008
by: Tech Pubs S.

Failure of true random number generator

Overview

True random number generators generally have a limited source of entropy and therefore can fail or block.

Consequences

  • Availability: A program may crash or block if it runs out of random numbers.

Exposure period

  • Requirements specification: Choose an operating system which is aggressive and effective at generating true random numbers.
  • Implementation: This type of failure is a logical flaw which can be exacerbated by a lack of or the misuse of mitigating technologies.

Platform

  • Languages: Any
  • Operating platforms: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Low to Medium

Avoidance and mitigation

  • Implementation: Rather than failing on a lack of random numbers, it is often preferable to wait for more numbers to be created.

Discussion

The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security.

Examples

In C:

while (1){
  if (connection){
    if (hwRandom()){
      //use the random bytes
    }
    else (hwRandom()) {
      //cancel the program
  } 
}
This article was:   Helpful | Not Helpful
Prev   Next
ASP.NET Misconfiguration: Missing Custom Error Handling     Information leak through class cloning

server monitoring

¿ 2010 "SHALB.com" All rights reserved
SHALB Home
Services
Solutions
Documentation
News and Events