The system’s random numbers must be generated using a uniform distribution.
The system’s cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. Some of these keys and other critical elements are generated using random numbers. In these cases, the random numbers themselves must be generated using secure mechanisms that guarantee a random distribution.
CAPEC-20: Encryption Brute Forcing: An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.
CWE-330: Use of Insufficiently Random Values: The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
CWE-331: Insufficient Entropy: The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
CWE-332: Insufficient Entropy in PRNG: The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.
CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG): The software uses a Pseudo-Random Number Generator (PRNG) that does not correctly manage seeds.
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG): The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG’s algorithm is not cryptographically strong.
CWE-340: Generation of Predictable Numbers or Identifiers: The product uses a scheme that generates numbers or identifiers that are more predictable than required.
OWASP-ASVS v4.0.1 V2.6 Look-up Secret Verifier Requirements.(2.6.3): Verify that lookup secrets are resistant to offline attacks, such as predictable values.
OWASP-ASVS v4.0.1 V6.3 Random Values.(6.3.1): Verify that all random numbers, random file names, random GUIDs, and random strings are generated using the cryptographic module’s approved cryptographically secure random number generator when these random values are intended to be not guessable by an attacker.
OWASP-ASVS v4.0.1 V6.3 Random Values.(6.3.2): Verify that random GUIDs are created using the GUID v4 algorithm, and a cryptographically-secure pseudo-random number generator (CSPRNG). GUIDs created using other pseudo-random number generators may be predictable.
OWASP-ASVS v4.0.1 V6.3 Random Values.(6.3.3): Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstances.