Exploring CWE-330 Use of Insufficiently Random Values

Introduction

The OWASP Top 10 list provides in-depth information about the most common security issues facing web applications. Number two on the list is A02:2021 – Cryptographic Failures, which covers a wide range of common mistakes.

Among this list of cryptographic failures is the use of insufficiently random values, which is CWE 330. Whether through a failure to use random values at all or the use of an insufficiently secure random number generator, this vulnerability can undermine the protection provided by data encryption.

Providing the Right Level of Randomness

Random or pseudorandom numbers are necessary for various contexts. When running experiments, scientists may need random values for their experiments. Games and gambling applications require random values to determine the next card in a deck or the results of spinning a slot machine. Cryptographic algorithms need random numbers to generate private keys and other inputs to encryption algorithms.

These different use cases have very different needs for the level of randomness provided. In scientific experiments, the generated values only need to be statistically random. It doesn’t matter if a determined attacker could predict the values as long as the values accurately reflect whatever the scientist is looking to measure.

Games and gambling applications have a higher expectation of randomness. If a player can predict the stream of random values, then they might be able to cheat at the game. For example, when playing poker, knowledge of the next card in the deck or of another player’s hand provides a significant advantage. The random values used in a game should not be predictable, but the effects if they are predictable are limited.

Cryptographic algorithms have the strongest need for random values to be unpredictable. The protection provided by cryptographic algorithms falls apart if an attacker can guess private keys or other random values used by the algorithms. With encryption’s role in protecting sensitive data, the use of weak random number generation in cryptographic code can be catastrophic.

Where Random Number Generation Goes Wrong

The purpose of a random number generator (RNG) on a computer is to generate random values. However, computers are deterministic and are unable to produce truly random numbers. Instead, Pseudorandom number generators (PRNGs) use some source of entropy to generate a series of pseudorandom values.

PRNGs are classified into one of two categories. Statistical PRNGs are designed to meet scientists’ needs for random values. A statistical PRNG generates values that look random but are actually predictable.

Cryptographic PRNGs are designed to generate an unpredictable series of pseudorandom values. While anyone with knowledge of the initial seed could regenerate the sequence, it is infeasible for an attacker observing the stream of generated values to predict other values in the sequence. The pseudorandom values generated by a cryptographic PRNG are suitable for use cases where an attacker predicting the series of values is problematic, such as gambling applications or cryptographic code.

Issues arise when cryptographic algorithms use statistical PRNGs to generate essential values such as their private keys or other inputs that must be unpredictable. If this occurs, an attacker that can guess the series of pseudorandom values generated by the PRNG can calculate these values and break the encryption. This assumes, of course, that the developer makes an attempt to generate and use a random value where it is required.

Case Study: Zerologon

Zerologon was a vulnerability discovered in Microsoft’s Netlogon protocol in 2020. Tracked as CVE-2020-1472, the vulnerability could allow an attacker to gain domain administrator privileges on a Microsoft Active Directory domain.

The issue was that Netlogon used AES-CFB8 as part of its authentication process, which requires a random initialization vector (IV) to ensure that identical plaintexts produced different ciphertexts. Instead of a random IV, the Netlogon Remote Protocol used a hardcoded IV of all zeros as the challenge in an authentication protocol. With a 1/256 probability, encrypting an all-zero plaintext yielded an all-zero ciphertext, enabling an attacker to authenticate successfully without knowledge of the secret key.

Generating Secure Random Values

Random number generation is a complex problem on deterministic computers. As a result, cryptographic algorithms use pseudorandom numbers instead.

When a cryptographic algorithm demands a random number, developers should use a pseudorandom number generator to produce this value. Better yet, use a library that securely handles these details behind the scenes, avoiding expensive and dangerous errors.

Up Next

To help build understanding of how cryptography can go wrong and how to fix it, we’ll continue to dive deep into prevention measures and most of the 29 CWEs related to OWASP’s A02:2021 – Cryptographic Failures vulnerability in a series of blogs. Each blog will describe the weakness, why it happens, a real-world case study, and recommended mitigations.

We’re very committed to improving the state of cryptography and data security by sharing knowledge and helping to correct common misconceptions about how cryptography works and how to use it properly. To keep up with this series and our other research and cryptography content, make sure to subscribe to our blog in the page footer below.