[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Inadequate Encryption Strength

ID: 326Date: (C)2012-05-14   (M)2017-10-12
Type: weaknessStatus: DRAFT
Abstraction Type: Class





Description

The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Extended Description

A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

Applicable Platforms
Language Class: All

Time Of Introduction

  • Architecture and Design

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Access_Control
Confidentiality
 
Bypass protection mechanism
Read application data
 
An attacker may be able to decrypt the data using brute force attacks.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
 Use a cryptographic algorithm that is currently considered to be strong by experts in the field.
 
  

Relationships

Related CWETypeViewChain
CWE-326 ChildOf CWE-903 Category CWE-888  

Demonstrative Examples
None

Observed Examples

  1. CVE-2001-1546 : Weak encryption
  2. CVE-2004-2172 : Weak encryption (chosen plaintext attack)
  3. CVE-2002-1682 : Weak encryption
  4. CVE-2002-1697 : Weak encryption produces same ciphertext from the same plaintext blocks.
  5. CVE-2002-1739 : Weak encryption
  6. CVE-2005-2281 : Weak encryption scheme
  7. CVE-2002-1872 : Weak encryption (XOR)
  8. CVE-2002-1910 : Weak encryption (reversible algorithm).
  9. CVE-2002-1946 : Weak encryption (one-to-one mapping).
  10. CVE-2002-1975 : Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
PLOVER  Weak Encryption
 
 
OWASP Top Ten 2007 A8
 
Insecure Cryptographic Storage
 
CWE_More_Specific
 
OWASP Top Ten 2007 A9
 
Insecure Communications
 
CWE_More_Specific
 
OWASP Top Ten 2004 A8
 
Insecure Storage
 
CWE_More_Specific
 

References:

  1. M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 8, "Cryptographic Foibles" Page 259'. Published on 2002.
  2. Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 21: Using the Wrong Cryptography." Page 315'. Published on 2010.

© 2013 SecPod Technologies