CWE -CWE -331：熵不足（4.10）

弱点ID：331

Abstraction:Base
结构：简单的

View customized information:

Description

该产品使用一种算法或方案，该算法或方案产生不足的熵，留下比其他值更可能发生的值的图案或簇。

关系

该表显示了与该弱点相关的弱点和高级类别。这些关系定义为childof，parentof，ementof，并深入了解可能存在于较高和较低抽象水平的类似项目。此外，定义了诸如Peerof和Canalsobe之类的关系，以显示用户可能想要探索的类似弱点。

Relevant to the view "Research Concepts" (CWE-1000)

自然	Type	ID	姓名
Childof	班级- a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	330	使用不足的随机值
ParentOf	变体 - 与某种类型的产品相关的弱点，通常涉及特定的语言或技术。比基本弱点更具体。变体级别的弱点通常以以下维度的3到5来描述问题：行为，财产，技术，语言和资源。	332	PRNG的熵不足
ParentOf	变体 - 与某种类型的产品相关的弱点，通常涉及特定的语言或技术。比基本弱点更具体。变体级别的弱点通常以以下维度的3到5来描述问题：行为，财产，技术，语言和资源。	333	TRNG中熵不足的处理不当

Relevant to the view "Software Development" (CWE-699)

自然	Type	ID	姓名
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1213	Random Number Issues
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	310	Cryptographic Issues

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (CWE-1003)

自然	Type	ID	姓名
Childof	班级- a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	330	使用不足的随机值

Relevant to the view "Architectural Concepts" (CWE-1008)

自然	Type	ID	姓名
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1013	加密数据

介绍模式

引言的不同模式提供了有关如何以及何时引入这种弱点的信息。该阶段识别可能发生介绍的生命周期中的一个点，而音符提供了与给定阶段中引言有关的典型情况。

Phase	笔记
Architecture and Design
Implementation	REALIZATION: This weakness is caused during implementation of an architectural security tactic.

适用的平台

该清单显示了可能出现的弱点的可能区域。这些可能适用于特定的命名语言，操作系统，体系结构，范式，技术或一类此类平台。该平台与给定弱点出现在该实例的频率一起列出。

语言

班级: Not Language-Specific（不确定的患病率）

常见后果

该表指定与弱点相关的不同个人后果。该范围确定了违反的应用程序安全区域，而影响描述了如果对手成功利用这一弱点，就会产生负面的技术影响。其可能性提供了有关预期相对于列表中其他后果的特定后果的可能性的信息。例如，可能会利用弱点来实现一定的影响，但很可能会利用它来实现不同的影响。

Scope	Impact	可能性
Access Control 其他	技术影响：旁路保护机制；其他攻击者可以猜测生成的随机数，并且如果使用随机数来进行身份验证和授权，则可能会获得对系统的未经授权访问。

Demonstrative Examples

Example 1

This code generates a unique random identifier for a user's session.

(bad code)

Example Language:PHP

函数生成essionsId（$ userId）{

srand($userID);
返回rand（）;

}

Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.

此示例还显示了一个小的种子空间（CWE-339）.

Example 2

The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.

(bad code)

Example Language:爪哇

字符串GenerateCeipturl（字符串baseurl）{

Random Rangen = new Random（）;
rangen.setseed（（（new Date（））。getTime（））;
return(baseUrl + ranGen.nextInt(400000000) + ".html");

}

该代码使用Random.nextint（）函数来生成其生成的收据页面的“唯一”标识符。因为Random.nextint（）是统计PRNG，所以攻击者很容易猜测其生成的字符串。尽管收据系统的基础设计也有故障，但如果使用随机数生成器，它不会产生可预测的接收标识符，例如加密PRNG，它将更加安全。

Observed Examples

Reference	Description
CVE-2001-0950	Insufficiently random data used to generate session tokens using C rand(). Also, for certificate/key generation, uses a source that does not block when entropy is low.
CVE-2008-2108	Chain: insufficient precision (CWE-1339）in random-number generator causes some zero bits to be reliably generated, reducing the amount of entropy (CWE-331）

Potential Mitigations

Phase: Implementation

确定必要的熵以充分提供随机性和可预测性。这可以通过增加键和种子等物体的位数来实现。

Memberships

This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.

自然	Type	ID	姓名
MemberOf	查看 - CWE条目的子集，提供了一种检查CWE内容的方法。两个主视图结构是切片（平面列表）和图（包含条目之间的关系）。	884	CWECross-section
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	905	SFP Primary Cluster: Predictability
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1170	SEI CERT C编码标准 - 指南48.其他（MSC）
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	1346	OWASP前十2021年A02：2021-加密故障

笔记s

维护

As of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, "randomness" is used heavily. However, within cryptography, "entropy" is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.

Taxonomy Mappings

映射的分类名称	Node ID	Fit	Mapped Node Name
plover			Insufficient Entropy
WASC	11		Brute Force
CERT C Secure Coding	MSC32-C	Exact	Properly seed pseudorandom number generators

Common Weakness Enumeration

CWE-331：熵不足


	Site Map\|使用条款\|Privacy Policy\|Contact Us\| Use of the Common Weakness Enumeration (CWE) and the associated references from this website are subject to the使用条款. CWE is sponsored by theU.S. Department of Homeland Security(DHS)Cybersecurity and Infrastructure Security Agency（CISA），由Homeland Security Systems Engineering and Development Institute(HSSEDI) which is operated bymanbetx客户端首页(MITRE). Copyright © 2006–2023, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.