CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-323: Reusing a Nonce, Key Pair in Encryption

 
Reusing a Nonce, Key Pair in Encryption
Weakness ID: 323 (Weakness Base)Status: Incomplete
+ Description

Description Summary

Nonces should be used for the present occasion and only once.
+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect

Technical Impact: Bypass protection mechanism; Gain privileges / assume identity

Potentially a replay attack, in which an attacker could send the same data twice, could be crafted if nonces are allowed to be reused. This could allow a user to send a message which masquerades as a valid message from a valid user.

+ Likelihood of Exploit

High

+ Demonstrative Examples

Example 1

This code takes a password, concatenates it with a nonce, then encrypts it before sending over a network:

(Bad Code)
Example Language:
void encryptAndSendPassword(char *password){
char *nonce = "bad";
...
char *data = (unsigned char*)malloc(20);
int para_size = strlen(nonce) + strlen(password);
char *paragraph = (char*)malloc(para_size);
SHA1((const unsigned char*)paragraph,parsize,(unsigned char*)data);
sendEncryptedData(data)
}

Because the nonce used is always the same, an attacker can impersonate a trusted party by intercepting and resending the encrypted password. This attack avoids the need to learn the unencrypted password.

Example 2

This code sends a command to a remote server, using an encrypted password and nonce to prove the command is from a trusted party:

(Bad Code)
Example Language: C++ 
String command = new String("some command to execute");
MessageDigest nonce = MessageDigest.getInstance("SHA");
nonce.update(String.valueOf("bad nonce"));
byte[] nonce = nonce.digest();
MessageDigest password = MessageDigest.getInstance("SHA");
password.update(nonce + "secretPassword");
byte[] digest = password.digest();
sendCommand(digest, command)

Once again the nonce used is always the same. An attacker may be able to replay previous legitimate commands or execute new arbitrary commands.

+ Potential Mitigations

Phase: Implementation

Refuse to reuse nonce values.

Phase: Implementation

Use techniques such as requiring incrementing, time based and/or challenge response to assure uniqueness of nonces.

+ Background Details

Nonces are often bundled with a key in a communication exchange to produce a new session key for each exchange.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory320Key Management Errors
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base344Use of Invariant Value in Dynamically Changing Context
Research Concepts (primary)1000
ChildOfCategoryCategory903SFP Cluster: Cryptography
Software Fault Pattern (SFP) Clusters (primary)888
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPReusing a nonce, key pair in encryption
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
updated Time_of_Introduction
2008-09-08MITREInternal
updated Background_Details, Common_Consequences, Relationships, Taxonomy_Mappings
2011-06-01MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated Relationships
2012-10-30MITREInternal
updated Demonstrative_Examples, Potential_Mitigations
Page Last Updated: June 23, 2014