Not Using a Random IV with CBC ModeID: 329 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Variant |
Description
Not using a random initialization Vector (IV) with Cipher Block
Chaining (CBC) Mode causes algorithms to be susceptible to dictionary
attacks.
Likelihood of Exploit: Medium
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
Scope | Technical Impact | Notes |
---|
ConfidentialityOther | Read application
dataOther | If the CBC is not properly initialized, data that is encrypted can be
compromised and therefore be read. |
Integrity | Modify application
data | If the CBC is not properly initialized, encrypted data could be
tampered with in transfer. |
Access_ControlOther | Bypass protection
mechanismOther | Cryptographic based authentication systems could be defeated. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | It is important to properly initialize CBC operating block ciphers or
their utility is lost. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-329 ChildOf CWE-903 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the following examples, CBC mode is used when encrypting
data:
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
CLASP | | Not using a random IV with CBC mode | |
References:
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 2, "Initialization Vectors", Page
42.'. Published on 2006.