Inadequate Encryption StrengthID: 326 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Class |
Description
The software stores or transmits sensitive data using an
encryption scheme that is theoretically sound, but is not strong enough for the
level of protection required.
Extended DescriptionA weak encryption scheme can be subjected to brute force attacks that have
a reasonable chance of succeeding using current attack methods and
resources.
Applicable PlatformsLanguage Class: All
Time Of Introduction
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_ControlConfidentiality | Bypass protection
mechanismRead application
data | An attacker may be able to decrypt the data using brute force
attacks. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | | Use a cryptographic algorithm that is currently considered to be
strong by experts in the field. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-326 ChildOf CWE-903 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2001-1546 : Weak encryption
- CVE-2004-2172 : Weak encryption (chosen plaintext attack)
- CVE-2002-1682 : Weak encryption
- CVE-2002-1697 : Weak encryption produces same ciphertext from the same plaintext blocks.
- CVE-2002-1739 : Weak encryption
- CVE-2005-2281 : Weak encryption scheme
- CVE-2002-1872 : Weak encryption (XOR)
- CVE-2002-1910 : Weak encryption (reversible algorithm).
- CVE-2002-1946 : Weak encryption (one-to-one mapping).
- CVE-2002-1975 : Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Weak Encryption | |
OWASP Top Ten 2007 | A8 | Insecure Cryptographic Storage | CWE_More_Specific |
OWASP Top Ten 2007 | A9 | Insecure Communications | CWE_More_Specific |
OWASP Top Ten 2004 | A8 | Insecure Storage | CWE_More_Specific |
References:
- M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 8, "Cryptographic Foibles" Page
259'. Published on 2002.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 21: Using the Wrong Cryptography." Page
315'. Published on 2010.