This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Insufficient Entropy"
From OWASP
| Line 1: | Line 1: | ||
| + | {{Template:Stub}} | ||
{{Template:Vulnerability}} | {{Template:Vulnerability}} | ||
| − | + | ||
| + | __TOC__ | ||
| + | |||
| + | [[ASDR Table of Contents]] | ||
| + | |||
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' | ||
| − | |||
| − | |||
| − | |||
[[Category:FIXME|Stub article, needs review]] | [[Category:FIXME|Stub article, needs review]] | ||
| Line 54: | Line 56: | ||
[[:Category:Cryptography]] | [[:Category:Cryptography]] | ||
[[:Category:Cryptographic Vulnerability]] | [[:Category:Cryptographic Vulnerability]] | ||
| + | [[Category:Vulnerability]] | ||
Revision as of 19:33, 2 November 2008
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Last revision (mm/dd/yy): 11/2/2008
Description
When an undesirably low amount of entropy is available. Psuedo Random Number Generators are susceptible to suffering from insufficient entropy when they are initialized because entropy data may not be available to them yet.
Risk Factors
TBD
Examples
TBD
Related Attacks
- In many cases a PRNG uses a combination of the system clock and entropy to create seed data. In the case where insufficient entropy is available, an attacker can reduce the size magnitude of the seed value considerably. Furthermore, by guessing values of the system clock, they can create a manageable set of possible PRNG outputs.
Related Vulnerabilities
Related Controls
- Many PRNG's (/dev/random and /dev/urandom for example) store their last value before shutdown. By using this value at intialization, they can sometimes avoid insufficient or predictable starting entropy.
Related Technical Impacts
References
TBDCategory:Cryptography Category:Cryptographic Vulnerability
