Use of a Key Past its Expiration Date| ID: 324 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The product uses a cryptographic key or password past its
expiration date, which diminishes its safety significantly by increasing the
timing window for cracking attacks against that key.
Likelihood of Exploit: Low
Applicable PlatformsLanguage Class: All
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Bypass protection
mechanismGain privileges / assume
identity | The cryptographic key in question may be compromised, providing a
malicious user with a method for authenticating as the victim. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | Adequate consideration should be put in to the user interface in order
to notify users previous to the key's expiration, to explain the
importance of new key generation and to walk users through the process
as painlessly as possible. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-324 ChildOf CWE-903 | Category | CWE-888 | |
Demonstrative ExamplesNone
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| CLASP | | Using a key past its expiration date | |
References:
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 23: Improper Use of PKI, Especially SSL." Page
347'. Published on 2010.
