Description

Weaknesses in this category are related to errors in the management of cryptographic keys.

Applicable Platforms
Language Class: All

Common Consequences
None

Detection Methods
None

Potential Mitigations
None

Relationships

Demonstrative Examples
None

Observed Examples

1. CVE-2005-2146 : insecure permissions when generating secret key, allowing spoofing
2. CVE-2001-1527 : administration passwords in cleartext in executable
3. CVE-2000-0762 : default installation of product uses a default encryption key, allowing others to spoof the administrator
4. CVE-2002-1947 : static key / global shared key -- "global shared key" - product uses same SSL key for all installations, allowing attackers to eavesdrop or hijack session.
5. CVE-2005-4002 : static key / global shared key -- "global shared key" - product uses same secret key for all installations, allowing attackers to decrypt data.
6. CVE-2005-2196 : static key / global shared key -- Product uses default WEP key when not connected to a known or trusted network, which can cause it to automatically connect to a malicious network. Overlaps: default.
7. CVE-2005-1794 : Exposed or accessible private key (overlaps information exposure) -- Private key stored in executable
8. CVE-2001-0072 : Exposed or accessible private key (overlaps information exposure) -- Crypto program imports both public and private keys but does not tell the user about the private keys, possibly breaking the web of trust.
9. CVE-2005-3256 : Misc -- Encryption product accidentally selects the wrong key if the key doesn't have additional fields that are normally expected, allowing the owner of the wrong key to decrypt the data.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

References:
None