CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-320: Key Management Errors

 
Key Management Errors
Category ID: 320 (Category)Status: Draft
+ Description

Description Summary

Weaknesses in this category are related to errors in the management of cryptographic keys.
+ Applicable Platforms

Languages

All

+ Observed Examples
ReferenceDescription
insecure permissions when generating secret key, allowing spoofing
administration passwords in cleartext in executable
default installation of product uses a default encryption key, allowing others to spoof the administrator
static key / global shared key -- "global shared key" - product uses same SSL key for all installations, allowing attackers to eavesdrop or hijack session.
static key / global shared key -- "global shared key" - product uses same secret key for all installations, allowing attackers to decrypt data.
static key / global shared key -- Product uses default WEP key when not connected to a known or trusted network, which can cause it to automatically connect to a malicious network. Overlaps: default.
Exposed or accessible private key (overlaps information exposure) -- Private key stored in executable
Exposed or accessible private key (overlaps information exposure) -- Crypto program imports both public and private keys but does not tell the user about the private keys, possibly breaking the web of trust.
Misc -- Encryption product accidentally selects the wrong key if the key doesn't have additional fields that are normally expected, allowing the owner of the wrong key to decrypt the data.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory310Cryptographic Issues
Development Concepts (primary)699
ChildOfCategoryCategory934OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
Weaknesses in OWASP Top Ten (2013) (primary)928
ParentOfWeakness BaseWeakness Base321Use of Hard-coded Cryptographic Key
Development Concepts699
ParentOfWeakness BaseWeakness Base322Key Exchange without Entity Authentication
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base323Reusing a Nonce, Key Pair in Encryption
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base324Use of a Key Past its Expiration Date
Development Concepts (primary)699
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERKey Management Errors
+ Maintenance Notes

This category should probably be split into multiple sub-categories.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Maintenance_Notes, Relationships, Taxonomy_Mappings
2011-03-29CWE Content TeamMITREInternal
updated Observed_Examples
2014-06-23CWE Content TeamMITREInternal
updated Relationships
Page Last Updated: July 30, 2014