Comprehensive Categorization: Randomness

The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary ...

The product uses a scheme that generates numbers or identifiers that are more predictable than required.

The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or ...

True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.

The J2EE application is configured to use an insufficient session ID length.

An exact value or random number can be precisely predicted by observing previous values.

A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.

A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.

The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next val...

Nonces should be used for the present occasion and only once.

A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.

A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.

The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

The device uses an algorithm that is predictable and generates a pseudo-random number.

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using ta...