Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.6)  

Presentation Filter:

CWE-320: Key Management Errors

Key Management Errors
Category ID: 320 (Category)Status: Draft
+ Description

Description Summary

Weaknesses in this category are related to errors in the management of cryptographic keys.
+ Applicable Platforms



+ Observed Examples
CVE-2005-2146insecure permissions when generating secret key, allowing spoofing
CVE-2001-1527administration passwords in cleartext in executable
CVE-2000-0762default installation of product uses a default encryption key, allowing others to spoof the administrator
CVE-2002-1947static key / global shared key -- "global shared key" - product uses same SSL key for all installations, allowing attackers to eavesdrop or hijack session.
CVE-2005-4002static key / global shared key -- "global shared key" - product uses same secret key for all installations, allowing attackers to decrypt data.
CVE-2005-2196static key / global shared key -- Product uses default WEP key when not connected to a known or trusted network, which can cause it to automatically connect to a malicious network. Overlaps: default.
CVE-2005-1794Exposed or accessible private key (overlaps information exposure) -- Private key stored in executable
CVE-2001-0072Exposed or accessible private key (overlaps information exposure) -- Crypto program imports both public and private keys but does not tell the user about the private keys, possibly breaking the web of trust.
CVE-2005-3256Misc -- Encryption product accidentally selects the wrong key if the key doesn't have additional fields that are normally expected, allowing the owner of the wrong key to decrypt the data.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory310Cryptographic Issues
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base321Use of Hard-coded Cryptographic Key
Development Concepts699
ParentOfWeakness BaseWeakness Base322Key Exchange without Entity Authentication
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base323Reusing a Nonce, Key Pair in Encryption
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base324Use of a Key Past its Expiration Date
Development Concepts (primary)699
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERKey Management Errors
+ Maintenance Notes

This category should probably be split into multiple sub-categories.

+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Maintenance_Notes, Relationships, Taxonomy_Mappings
2011-03-29CWE Content TeamMITREInternal
updated Observed_Examples
Page Last Updated: February 18, 2014