Inadequate Encryption Strength
|ID: 326||Date: (C)2012-05-14 (M)2019-01-09|
|Type: weakness||Status: DRAFT|
|Abstraction Type: Class|
The software stores or transmits sensitive data using an
encryption scheme that is theoretically sound, but is not strong enough for the
level of protection required.
Extended DescriptionA weak encryption scheme can be subjected to brute force attacks that have
a reasonable chance of succeeding using current attack methods and
Applicable PlatformsLanguage Class: All
Time Of Introduction
Related Attack Patterns
|Access_ControlConfidentiality ||Bypass protection
data ||An attacker may be able to decrypt the data using brute force
|Architecture and Design || ||Use a cryptographic algorithm that is currently considered to be
strong by experts in the field. || || |
|CWE-326 ChildOf CWE-903 ||Category ||CWE-888 || |
- CVE-2001-1546 : Weak encryption
- CVE-2004-2172 : Weak encryption (chosen plaintext attack)
- CVE-2002-1682 : Weak encryption
- CVE-2002-1697 : Weak encryption produces same ciphertext from the same plaintext blocks.
- CVE-2002-1739 : Weak encryption
- CVE-2005-2281 : Weak encryption scheme
- CVE-2002-1872 : Weak encryption (XOR)
- CVE-2002-1910 : Weak encryption (reversible algorithm).
- CVE-2002-1946 : Weak encryption (one-to-one mapping).
- CVE-2002-1975 : Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
|PLOVER || ||Weak Encryption || |
|OWASP Top Ten 2007 ||A8 ||Insecure Cryptographic Storage ||CWE_More_Specific |
|OWASP Top Ten 2007 ||A9 ||Insecure Communications ||CWE_More_Specific |
|OWASP Top Ten 2004 ||A8 ||Insecure Storage ||CWE_More_Specific |
- M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 8, "Cryptographic Foibles" Page
259'. Published on 2002.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 21: Using the Wrong Cryptography." Page
315'. Published on 2010.