CWE-333 TRNG不充分信息熵的处理不恰当

Improper Handling of Insufficient Entropy in TRNG

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: Low


True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.


The rate at which true random numbers can be generated is limited. It is important that one uses them only when they are needed for security.


  • cwe_Nature: ChildOf cwe_CWE_ID: 331 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 331 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 703 cwe_View_ID: 1000


Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}


范围 影响 注释
Availability DoS: Crash, Exit, or Restart A program may crash or block if it runs out of random numbers.




Rather than failing on a lack of random numbers, it is often preferable to wait for more numbers to be created.


This code uses a TRNG to generate a unique session id for new connections to a server:

bad C

while (1){
if (haveNewConnection()){
if (hwRandom()){
int sessionID = hwRandom();
} } }

This code does not attempt to limit the number of new connections or make sure the TRNG can successfully generate a new random number. An attacker may be able to create many new connections and exhaust the entropy of the TRNG. The TRNG may then block and cause the program to crash or hang.


映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Failure of TRNG
The CERT Oracle Secure Coding Standard for Java (2011) MSC02-J Generate strong random numbers