|
|
|
|
CWE-327 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Incomplete 327 (Weakness Base) | | Description | Summary The use of a broken or risky cryptographic algorithm is an unnecessary risk that may
result in the disclosure of sensitive information. | | Likelihood of Exploit | Medium to High | | Common Consequences | Confidentiality: The confidentiality of sensitive data may be compromised by
the use of a broken or risky cryptographic algorithm. Integrity: The integrity of sensitive data may be compromised by the use of a
broken or risky cryptographic algorithm. Accountability: Any accountability to message content preserved by
cryptography may be subject to attack. | | Potential Mitigations | Design: Use a cryptographic algorithm that is currently considered to be strong by
experts in the field. You should choose a tested and widely used implementation. As with all
cryptographic mechanisms, the source code should be available for analysis. | Demonstrative Examples | C/C++ Example: Java Example: Cipher des=Cipher.getInstance("DES..."); des.initEncrypt(key2); | | Context Notes | Cryptographic algorithms are the methods by which data is scrambled. There are a small
number of well understood and heavily studied algorithms that should be used by most applications.
It is quite difficult to produce a secure algorithm, and even high profile algorithms by
accomplished cryptographic experts have been broken. The use of a non-standard algorithm is
dangerous because a determined attacker may be able to break the algorithm and compromise whatever
data has been protected. Since the state of cryptography advances so rapidly, it is common to find algorithms,
which previously were considered to be safe, currently considered unsafe. In some cases, things
are discovered, or processing speed increases to the degree that the cryptographic algorithm
provides little more benefit than the use of no cryptography at all. | | Relationships | | | Source Taxonomies | CLASP - Using a broken or risky cryptographic algorithm | | Applicable Platforms | All | | Time of Introduction | Architecture and Design | | Related Attack Patterns | | CAPEC-ID | Attack Pattern Name |
|---|
| 97 | Cryptanalysis |
|
|