CWE-326
Alerte pour un CWE
Stay informed of any changes for a specific CWE.
Inadequate Encryption Strength
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Extended Description
A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.
Informations
Modes Of Introduction
Architecture and Design : COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.Applicable Platforms
Language
Class: Not Language-Specific (Undetermined)Common Consequences
| Scope | Impact | Likelihood |
|---|---|---|
| Access Control Confidentiality | Bypass Protection Mechanism, Read Application Data Note: An attacker may be able to decrypt the data using brute force attacks. |
Observed Examples
| Reference | Description |
|---|---|
| Weak encryption | |
| Weak encryption (chosen plaintext attack) | |
| Weak encryption | |
| Weak encryption produces same ciphertext from the same plaintext blocks. | |
| Weak encryption | |
| Weak encryption scheme | |
| Weak encryption (XOR) | |
| Weak encryption (reversible algorithm). | |
| Weak encryption (one-to-one mapping). | |
| Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness). |
Potential Mitigations
Phases : Architecture and DesignUse an encryption scheme that is currently considered to be strong by experts in the field.
Detection Methods
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Effectiveness : High
Vulnerability Mapping Notes
Rationale : This CWE entry is a Class and might have Base-level children that would be more appropriateComments : Examine children of this entry to see if there is a better fit
Related Attack Patterns
| CAPEC-ID | Attack Pattern Name |
|---|---|
| CAPEC-112 | Brute Force In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. |
| CAPEC-192 | Protocol Analysis An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network. |
| CAPEC-20 | Encryption Brute Forcing An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext. |
References
REF-7
Writing Secure CodeMichael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
REF-44
24 Deadly Sins of Software SecurityMichael Howard, David LeBlanc, John Viega.
Submission
| Name | Organization | Date | Date Release | Version |
|---|---|---|---|---|
| PLOVER | Draft 3 |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| Veracode | Suggested OWASP Top Ten 2004 mapping | ||
| CWE Content Team | MITRE | updated Maintenance_Notes, Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | Clarified entry to focus on algorithms that do not have major weaknesses, but may not be strong enough for some purposes. | |
| CWE Content Team | MITRE | updated Common_Consequences, Description, Maintenance_Notes, Name | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Modes_of_Introduction, References, Relationships | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Maintenance_Notes, Potential_Mitigations, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description, Relationships | |
| CWE Content Team | MITRE | updated Detection_Factors, Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes |
2024©
tesweb SA
