CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-326: Inadequate Encryption Strength

 
Inadequate Encryption Strength
Weakness ID: 326 (Weakness Class)Status: Draft
+ Description

Description Summary

The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Extended Description

A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect

Technical Impact: Bypass protection mechanism; Read application data

An attacker may be able to decrypt the data using brute force attacks.

+ Observed Examples
ReferenceDescription
Weak encryption
Weak encryption (chosen plaintext attack)
Weak encryption
Weak encryption produces same ciphertext from the same plaintext blocks.
Weak encryption
Weak encryption scheme
Weak encryption (XOR)
Weak encryption (reversible algorithm).
Weak encryption (one-to-one mapping).
Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).
+ Potential Mitigations

Phase: Architecture and Design

Use a cryptographic algorithm that is currently considered to be strong by experts in the field.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory310Cryptographic Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
ChildOfCategoryCategory719OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory720OWASP Top Ten 2007 Category A9 - Insecure Communications
Weaknesses in OWASP Top Ten (2007)629
ChildOfCategoryCategory729OWASP Top Ten 2004 Category A8 - Insecure Storage
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory816OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage
Weaknesses in OWASP Top Ten (2010) (primary)809
ChildOfCategoryCategory903SFP Cluster: Cryptography
Software Fault Pattern (SFP) Clusters (primary)888
ChildOfCategoryCategory934OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
Weaknesses in OWASP Top Ten (2013) (primary)928
ParentOfWeakness VariantWeakness Variant261Weak Cryptography for Passwords
Development Concepts699
Research Concepts1000
ParentOfWeakness BaseWeakness Base328Reversible One-Way Hash
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERWeak Encryption
OWASP Top Ten 2007A8Insecure Cryptographic Storage
OWASP Top Ten 2007A9Insecure Communications
OWASP Top Ten 2004A8Insecure Storage
+ References
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 8, "Cryptographic Foibles" Page 259. 2nd Edition. Microsoft. 2002.
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 21: Using the Wrong Cryptography." Page 315. McGraw-Hill. 2010.
+ Maintenance Notes

A variety of encryption algorithms exist, with various weaknesses. This category could probably be split into smaller sub-categories.

Relationships between CWE-310, CWE-326, and CWE-327 and all their children need to be reviewed and reorganized.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-08-15VeracodeExternal
Suggested OWASP Top Ten 2004 mapping
2008-09-08MITREInternal
updated Maintenance_Notes, Relationships, Taxonomy_Mappings
2009-03-10MITREInternal
updated Relationships
2009-05-27MITREInternal
updated Related_Attack_Patterns
2009-07-08
(Critical)
MITREInternal
Clarified entry to focus on algorithms that do not have major weaknesses, but may not be strong enough for some purposes.
2009-07-27MITREInternal
updated Common_Consequences, Description, Maintenance_Notes, Name
2009-10-29MITREInternal
updated Relationships
2010-02-16MITREInternal
updated References
2010-06-21MITREInternal
updated Relationships
2011-06-01MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated References, Relationships
2013-07-17MITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2009-07-27Weak Encryption
Page Last Updated: June 23, 2014