CWE-326: Inadequate Encryption StrengthWeakness ID: 326 Vulnerability Mapping:
ALLOWEDThis CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review (with careful review of mapping notes) Abstraction: ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. |
Description The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. Extended Description A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources. Common Consequences This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.Scope | Impact | Likelihood |
---|
Access Control Confidentiality
| Technical Impact: Bypass Protection Mechanism; Read Application Data An attacker may be able to decrypt the data using brute force attacks. | |
Potential Mitigations
Phase: Architecture and Design Use an encryption scheme that is currently considered to be strong by experts in the field. |
Relationships Modes Of Introduction The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.Phase | Note |
---|
Architecture and Design | COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. |
Observed Examples Reference | Description |
| Weak encryption |
| Weak encryption (chosen plaintext attack) |
| Weak encryption |
| Weak encryption produces same ciphertext from the same plaintext blocks. |
| Weak encryption |
| Weak encryption scheme |
| Weak encryption (XOR) |
| Weak encryption (reversible algorithm). |
| Weak encryption (one-to-one mapping). |
| Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness). |
Detection Methods
Automated Static Analysis Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) |
Memberships This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources. Vulnerability Mapping Notes Usage: ALLOWED-WITH-REVIEW (this CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review) | Reason: Abstraction | Rationale: This CWE entry is a Class and might have Base-level children that would be more appropriate | Comments: Examine children of this entry to see if there is a better fit |
Taxonomy Mappings Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
PLOVER | | | Weak Encryption |
OWASP Top Ten 2007 | A8 | CWE More Specific | Insecure Cryptographic Storage |
OWASP Top Ten 2007 | A9 | CWE More Specific | Insecure Communications |
OWASP Top Ten 2004 | A8 | CWE More Specific | Insecure Storage |
References
|
[REF-44] Michael Howard, David LeBlanc
and John Viega. "24 Deadly Sins of Software Security". "Sin 21: Using the Wrong Cryptography." Page 315. McGraw-Hill. 2010.
|
Content History Submissions |
---|
Submission Date | Submitter | Organization |
---|
2006-07-19 (CWE Draft 3, 2006-07-19) | PLOVER | | | Modifications |
---|
Modification Date | Modifier | Organization |
---|
2008-08-15 | | Veracode | Suggested OWASP Top Ten 2004 mapping | 2008-09-08 | CWE Content Team | MITRE | updated Maintenance_Notes, Relationships, Taxonomy_Mappings | 2009-03-10 | CWE Content Team | MITRE | updated Relationships | 2009-05-27 | CWE Content Team | MITRE | updated Related_Attack_Patterns | 2009-07-08 | CWE Content Team | MITRE | Clarified entry to focus on algorithms that do not have major weaknesses, but may not be strong enough for some purposes. | 2009-07-27 | CWE Content Team | MITRE | updated Common_Consequences, Description, Maintenance_Notes, Name | 2009-10-29 | CWE Content Team | MITRE | updated Relationships | 2010-02-16 | CWE Content Team | MITRE | updated References | 2010-06-21 | CWE Content Team | MITRE | updated Relationships | 2011-06-01 | CWE Content Team | MITRE | updated Common_Consequences | 2012-05-11 | CWE Content Team | MITRE | updated References, Relationships | 2013-07-17 | CWE Content Team | MITRE | updated Relationships | 2014-07-30 | CWE Content Team | MITRE | updated Relationships | 2015-12-07 | CWE Content Team | MITRE | updated Relationships | 2017-11-08 | CWE Content Team | MITRE | updated Applicable_Platforms, Modes_of_Introduction, References, Relationships | 2018-03-27 | CWE Content Team | MITRE | updated References, Relationships | 2019-01-03 | CWE Content Team | MITRE | updated Related_Attack_Patterns | 2019-06-20 | CWE Content Team | MITRE | updated Relationships | 2020-02-24 | CWE Content Team | MITRE | updated Maintenance_Notes, Potential_Mitigations, Relationships | 2021-10-28 | CWE Content Team | MITRE | updated Relationships | 2023-01-31 | CWE Content Team | MITRE | updated Description, Relationships | 2023-04-27 | CWE Content Team | MITRE | updated Detection_Factors, Relationships | 2023-06-29 | CWE Content Team | MITRE | updated Mapping_Notes | Previous Entry Names |
---|
Change Date | Previous Entry Name |
---|
2009-07-27 | Weak Encryption | |
More information is available — Please edit the custom filter or select a different filter.
|