Category: Security Primitives and Cryptography Issues
Draft
Summary
Weaknesses in this category are related to hardware implementations of cryptographic protocols and other hardware-security primitives such as physical unclonable functions (PUFs) and random number generators (RNGs).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1240 | Use of a Cryptographic Primitive with a Risky Implementation | To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation. |
| CWE-1241 | Use of Predictable Algorithm in Random Number Generator | The device uses an algorithm that is predictable and generates a pseudo-random number. |
| CWE-1279 | Cryptographic Operations are run Before Supporting Units are Ready | Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result. |
| CWE-1351 | Improper Handling of Hardware Behavior in Exceptionally Cold Environments | A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures. |
| CWE-1431 | Driving Intermediate Cryptographic State/Results to Hardware Module Outputs | The product uses a hardware module implementing a cryptographic algorithm that writes sensitive information about the intermediate state or results of its cryptographic operations via one of its output wires (typically the output port containing the final result). |
| CWE-203 | Observable Discrepancy | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
| CWE-325 | Missing Cryptographic Step | The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm. |
| CWE-1194 | Hardware Design | This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.