Inadequate Encryption Strength

Draft Class

Structure: Simple

Description

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Extended Description

A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

Common Consequences 1

Scope: Access ControlConfidentiality

Impact: Bypass Protection MechanismRead Application Data

An attacker may be able to decrypt the data using brute force attacks.

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 1

Phase: Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

Observed Examples 10

CVE-2001-1546Weak encryption

CVE-2004-2172Weak encryption (chosen plaintext attack)

CVE-2002-1682Weak encryption

CVE-2002-1697Weak encryption produces same ciphertext from the same plaintext blocks.

CVE-2002-1739Weak encryption

CVE-2005-2281Weak encryption scheme

CVE-2002-1872Weak encryption (XOR)

CVE-2002-1910Weak encryption (reversible algorithm).

CVE-2002-1946Weak encryption (one-to-one mapping).

CVE-2002-1975Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).

References 2

Writing Secure Code

Michael Howard and David LeBlanc

Microsoft Press

04-12-2002

https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

ID: REF-7

24 Deadly Sins of Software Security

Michael Howard, David LeBlanc, and John Viega

McGraw-Hill

2010

ID: REF-44

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Related Attack Patterns

Related Weaknesses

ChildOf:

Protection Mechanism Failure (CWE-693)

Taxonomy Mapping

PLOVER
OWASP Top Ten 2007
OWASP Top Ten 2007
OWASP Top Ten 2004