Exploring CWE-331: Insufficient Entropy

Introduction

Application security is critical to prevent cyber attacks. The OWASP Top Ten list is a well-known resource that identifies the most common and dangerous vulnerabilities in web applications and software.

One of the vulnerabilities in the OWASP Top Ten is Cryptographic Failures, which includes the use of insufficient entropy for cryptographic values that should be random. This vulnerability is known as CWE-331.

Introduction to Entropy

Entropy is a measure of the disorder or randomness that exists within a system. The greater the entropy of a particular value or statistic, the harder it is to predict or guess.

Entropy is vital to the security of cryptographic algorithms because cryptographic algorithms rely on the fact that certain values — such as the private key — are unknown to an attacker. If these values are randomly generated and have high entropy, then the set of values that an attacker would have to search to find the key is larger than if they have lower entropy.

Generating random values with high entropy is difficult for computers because computers are inherently deterministic systems. A computer is designed to run a series of instructions and produce a predictable result; any randomness in the system is seen as a bug, not a feature.

Since computers have few built-in sources of entropy, random number generation is often performed using a pseudorandom number generator (PRNG) that is seeded with a random value. By observing random events — such as a user’s mouse movements — a computer can generate a random value with high entropy to use as a starting point for a PRNG. From that value, a secure PRNG can generate a series of values that is infeasible to predict without knowledge of that initial starting point.

Where Entropy Goes Wrong

Random values are used for several purposes in cryptographic algorithms, including as private keys and initialization vectors. Some of the reasons why these values may not be random enough include:

• Hard-Coded Values: Developers may hard-code values that should be random and unique within their code. For example, an application may always use the same value as an initialization vector to a block cipher mode of operation or use the same salt for all passwords stored in a database.
• Weak RNGs: The use of a statistical RNG for cryptographic code can make it possible for an attacker to predict or guess the generated values, potentially undermining the security of the cryptographic algorithm.
• Weak Seeds: If a pseudorandom number generator (PRNG) is used to generate random numbers and the seed value is reused or guessable, an attacker can regenerate the same series of pseudorandom values.

Case Study: Blockchain Bandit

In 2019, a research study by Independent Security Evaluators discovered a large-scale theft of cryptocurrency on the Ethereum blockchain. A single attacker had stolen approximately 45,000 ETH worth over $200 million at the cryptocurrency’s all-time high in November 2021 from various cryptocurrency wallets.

This “Blockchain Bandit” took advantage of the fact that many cryptocurrency wallets had extremely weak private keys, making it easy for an attacker to guess. With knowledge of the private key associated with an Ethereum account, an attacker can perform transactions that permanently transfer the value stored in that account to an attacker-controlled address.

The lack of entropy in these users’ private keys could have been caused by a variety of different reasons. It’s possible that the user wanted to ensure that they could remember their key and used a small value as a result. Alternatively, blockchain wallet software could have used a weak source of entropy or made other errors, such as truncating the length of private keys. Regardless of the cause, the use of these weak keys exposed the wallets’ contents to attack.

Using Strong Entropy

The vulnerability of insufficiently random values comes from a lack of understanding of the importance of random numbers in cryptographic algorithms. To avoid CWE-331, it is best to follow these practices:

• Review documentation to learn which values need to be unique or random
• Use cryptographic PRNGs to generate random values
• Use a library that correctly implements random number generation

In conclusion, the use of insufficiently random values is a serious vulnerability that can undermine the security of cryptographic code. Developers should be aware of the importance of randomness in cryptographic algorithms and implement best practices to avoid CWE-331.

By using cryptographic PRNGs, reviewing documentation, and using libraries that correctly implement random number generation, developers can avoid this vulnerability and ensure the security of their applications. Failure to do so can result in significant financial losses, as demonstrated by the case study of the Blockchain Bandit. It is crucial for developers to take this vulnerability seriously and take proactive steps to prevent it in their applications.

Up Next

To help build understanding of how cryptography can go wrong and how to fix it, we’ll continue to dive deep into prevention measures and most of the 29 CWEs related to OWASP’s A02:2021 – Cryptographic Failures vulnerability in a series of blogs. Each blog will describe the weakness, why it happens, a real-world case study, and recommended mitigations.

We’re very committed to improving the state of cryptography and data security by sharing knowledge and helping to correct common misconceptions about how cryptography works and how to use it properly. To keep up with this series and our other research and cryptography content, make sure to subscribe to our blog in the page footer below.