Not Using a Random IV with CBC Mode| ID: 329 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Variant |
Description
Not using a random initialization Vector (IV) with Cipher Block
Chaining (CBC) Mode causes algorithms to be susceptible to dictionary
attacks.
Likelihood of Exploit: Medium
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| ConfidentialityOther | Read application
dataOther | If the CBC is not properly initialized, data that is encrypted can be
compromised and therefore be read. |
| Integrity | Modify application
data | If the CBC is not properly initialized, encrypted data could be
tampered with in transfer. |
| Access_ControlOther | Bypass protection
mechanismOther | Cryptographic based authentication systems could be defeated. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Implementation | | It is important to properly initialize CBC operating block ciphers or
their utility is lost. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-329 ChildOf CWE-903 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the following examples, CBC mode is used when encrypting
data:
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| CLASP | | Not using a random IV with CBC mode | |
References:
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 2, "Initialization Vectors", Page
42.'. Published on 2006.
