CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE-324: Use of a Key Past its Expiration Date

Weakness ID: 324
Abstraction: Base
Status: Draft
Presentation Filter:
+ Description

Description Summary

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

Extended Description

While the expiration of keys does not necessarily ensure that they are compromised, it is a significant concern that keys which remain in use for prolonged periods of time have a decreasing probability of integrity. For this reason, it is important to replace keys within a period of time proportional to their strength.

+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

Language-independent

+ Common Consequences
ScopeEffect
Access Control

Technical Impact: Bypass protection mechanism; Gain privileges / assume identity

The cryptographic key in question may be compromised, providing a malicious user with a method for authenticating as the victim.

+ Likelihood of Exploit

Low

+ Demonstrative Examples

Example 1

The following code attempts to verify that a certificate is valid.

(Bad Code)
Example Languages: C and C++ 
if (cert = SSL_get_peer_certificate(ssl)) {
foo=SSL_get_verify_result(ssl);
if ((X509_V_OK==foo) || (X509_V_ERRCERT_NOT_YET_VALID==foo))
//do stuff
}

The code checks if the certificate is not yet valid, but it fails to check if a certificate is past its expiration date, thus treating expired certificates as valid.

+ Potential Mitigations

Phase: Architecture and Design

Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory320Key Management Errors
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base672Operation on a Resource after Expiration or Release
Research Concepts (primary)1000
ChildOfCategoryCategory959SFP Secondary Cluster: Weak Cryptography
Software Fault Pattern (SFP) Clusters (primary)888
PeerOfWeakness VariantWeakness Variant298Improper Validation of Certificate Expiration
Research Concepts1000
PeerOfWeakness VariantWeakness Variant262Not Using Password Aging
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPUsing a key past its expiration date
+ References
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 23: Improper Use of PKI, Especially SSL." Page 347. McGraw-Hill. 2010.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative_Examples
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated References, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2013-02-21CWE Content TeamMITREInternal
updated Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes
2014-07-30CWE Content TeamMITREInternal
updated Demonstrative_Examples, Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Using a Key Past its Expiration Date

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017