CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.6)  

Presentation Filter:

CWE-326: Inadequate Encryption Strength

 
Inadequate Encryption Strength
Weakness ID: 326 (Weakness Class)Status: Draft
+ Description

Description Summary

The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Extended Description

A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Access Control
Confidentiality

Technical Impact: Bypass protection mechanism; Read application data

An attacker may be able to decrypt the data using brute force attacks.

+ Observed Examples
ReferenceDescription
CVE-2001-1546Weak encryption
CVE-2004-2172Weak encryption (chosen plaintext attack)
CVE-2002-1682Weak encryption
CVE-2002-1697Weak encryption produces same ciphertext from the same plaintext blocks.
CVE-2002-1739Weak encryption
CVE-2005-2281Weak encryption scheme
CVE-2002-1872Weak encryption (XOR)
CVE-2002-1910Weak encryption (reversible algorithm).
CVE-2002-1946Weak encryption (one-to-one mapping).
CVE-2002-1975Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).
+ Potential Mitigations

Phase: Architecture and Design

Use a cryptographic algorithm that is currently considered to be strong by experts in the field.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory310Cryptographic Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
ChildOfCategoryCategory719OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory720OWASP Top Ten 2007 Category A9 - Insecure Communications
Weaknesses in OWASP Top Ten (2007)629
ChildOfCategoryCategory729OWASP Top Ten 2004 Category A8 - Insecure Storage
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory816OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage
Weaknesses in OWASP Top Ten (2010) (primary)809
ChildOfCategoryCategory903SFP Cluster: Cryptography
Software Fault Pattern (SFP) Clusters (primary)888
ChildOfCategoryCategory934OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
Weaknesses in OWASP Top Ten (2013) (primary)928
ParentOfWeakness VariantWeakness Variant261Weak Cryptography for Passwords
Development Concepts699
Research Concepts1000
ParentOfWeakness BaseWeakness Base328Reversible One-Way Hash
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERWeak Encryption
OWASP Top Ten 2007A8CWE_More_SpecificInsecure Cryptographic Storage
OWASP Top Ten 2007A9CWE_More_SpecificInsecure Communications
OWASP Top Ten 2004A8CWE_More_SpecificInsecure Storage
+ References
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 8, "Cryptographic Foibles" Page 259. 2nd Edition. Microsoft. 2002.
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 21: Using the Wrong Cryptography." Page 315. McGraw-Hill. 2010.
+ Maintenance Notes

A variety of encryption algorithms exist, with various weaknesses. This category could probably be split into smaller sub-categories.

Relationships between CWE-310, CWE-326, and CWE-327 and all their children need to be reviewed and reorganized.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-08-15VeracodeExternal
Suggested OWASP Top Ten 2004 mapping
2008-09-08CWE Content TeamMITREInternal
updated Maintenance_Notes, Relationships, Taxonomy_Mappings
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2009-05-27CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2009-07-08
(Critical)
CWE Content TeamMITREInternal
Clarified entry to focus on algorithms that do not have major weaknesses, but may not be strong enough for some purposes.
2009-07-27CWE Content TeamMITREInternal
updated Common_Consequences, Description, Maintenance_Notes, Name
2009-10-29CWE Content TeamMITREInternal
updated Relationships
2010-02-16CWE Content TeamMITREInternal
updated References
2010-06-21CWE Content TeamMITREInternal
updated Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated References, Relationships
2013-07-17CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2009-07-27Weak Encryption
Page Last Updated: February 18, 2014