CWE - CWE-327: Use of a Broken or Risky Cryptographic Algorithm (Draft 9)

Home > CWE List > CWE-327 Individual Dictionary Definition (Draft 9)

CWE List
Full Dictionary View
Classification Tree
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

Section Contents
CWE List
Full Dictionary View
Classification Tree
Reports
Other Items of Interest
Sources

Key
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated

CWE-327 Individual Dictionary Definition (Draft 9)

Weakness ID

Status: Incomplete

327 (Weakness Base)

Description

Summary

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the disclosure of sensitive information.

Likelihood of Exploit

Medium to High

Common Consequences

Confidentiality: The confidentiality of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.

Integrity: The integrity of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.

Accountability: Any accountability to message content preserved by cryptography may be subject to attack.

Potential Mitigations

Design: Use a cryptographic algorithm that is currently considered to be strong by experts in the field. You should choose a tested and widely used implementation. As with all cryptographic mechanisms, the source code should be available for analysis.

Demonstrative
Examples

C/C++ Example:

EVP_des_ecb();

Java Example:

Cipher des=Cipher.getInstance("DES...");
des.initEncrypt(key2);

Context Notes

Cryptographic algorithms are the methods by which data is scrambled. There are a small number of well understood and heavily studied algorithms that should be used by most applications. It is quite difficult to produce a secure algorithm, and even high profile algorithms by accomplished cryptographic experts have been broken. The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected.

Since the state of cryptography advances so rapidly, it is common to find algorithms, which previously were considered to be safe, currently considered unsafe. In some cases, things are discovered, or processing speed increases to the degree that the cryptographic algorithm provides little more benefit than the use of no cryptography at all.

Relationships

Nature	Type	ID	Name
ChildOf	Weakness Class	326	Weak Encryption
PeerOf	Weakness Base	311	Failure to Encrypt Sensitive Data
PeerOf	Weakness Variant	301	Reflection Attack in an Authentication Protocol

Source Taxonomies

CLASP - Using a broken or risky cryptographic algorithm

Applicable Platforms

All

Time of Introduction

Architecture and Design

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
97	Cryptanalysis

Page Last Updated: April 22, 2008


	CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us