Read Time:48 Second

Description

A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.

Given the deterministic nature of PRNGs, using the same seed for each initialization will lead to the same output in the same order. If an attacker can guess (or knows) the seed, then the attacker may be able to determine the random numbers that will be produced from the PRNG.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-335

 

Consequences

Other, Access Control: Other, Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Do not reuse PRNG seeds. Consider a PRNG that periodically re-seeds itself as needed from a high quality pseudo-random output, such as hardware devices.

Phase: Architecture and Design, Requirements

Description: 

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.

CVE References