CWE-1241: Use of Predictable Algorithm in Random Number Generator

BaseDraft

The device uses an algorithm that is predictable and generates a pseudo-random number.

View on MITRE
Back to CWE Lookup

Extended Description

Pseudo-random number generator algorithms are predictable because their registers have a finite number of possible states, which eventually lead to repeating patterns. As a result, pseudo-random number generators (PRNGs) can compromise their randomness or expose their internal state to various attacks, such as reverse engineering or tampering. It is highly recommended to use hardware-based true random number generators (TRNGs) to ensure the security of encryption schemes. TRNGs generate unpredictable, unbiased, and independent random numbers because they employ physical phenomena, e.g., electrical noise, as sources to generate random numbers.

Technical Details

Structure
Simple

Applicable To

Languages
Platforms

Frequently Asked Questions

What is CWE-1241: Use of Predictable Algorithm in Random Number Generator?+

CWE-1241: Use of Predictable Algorithm in Random Number Generator is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The device uses an algorithm that is predictable and generates a pseudo-random number. Pseudo-random number generator algorithms are predictable because their registers have a finite number of possible states, which eventually lead to repeating patterns. As a result, pseudo-random number generators (PRNGs) can compromise their randomness or expose their internal state to various attacks, such as reverse engineering or tampering. It is highly recommended to use hardware-based true random number generators (TRNGs) to ensure the security of encryption schemes. TRNGs generate unpredictable, unbiased, and independent random numbers because they employ physical phenomena, e.g., electrical noise, as sources to generate random numbers.

What are the security consequences of Use of Predictable Algorithm in Random Number Generator?+

If exploited, CWE-1241 (Use of Predictable Algorithm in Random Number Generator) it can compromise Confidentiality, leading to outcomes such as Read Application Data.

How do you prevent or mitigate Use of Predictable Algorithm in Random Number Generator?+

Recommended mitigations for CWE-1241 include: A true random number generator should be specified for cryptographic algorithms. A true random number generator should be implemented for cryptographic algorithms.

What are real-world examples of Use of Predictable Algorithm in Random Number Generator?+

MITRE documents real CVEs mapped to CWE-1241, including CVE-2021-3692. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1241 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More