CWE - CWE-327: Use of a Broken or Risky Cryptographic Algorithm (2.1)

Home > CWE List > CWE- Individual Dictionary Definition (2.1)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents
FAQs

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS
CWRAF
T-Shirt

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Coverage Claims Representation
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

Use of a Broken or Risky Cryptographic Algorithm

Weakness ID: 327 (Weakness Base)

Status: Draft

Description

Description Summary

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

Extended Description

The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Well-known techniques may exist to break the algorithm.

Time of Introduction

Architecture and Design

Applicable Platforms

Languages

Language-independent

Common Consequences

Scope	Effect
Confidentiality	Technical Impact: Read application data The confidentiality of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
Integrity	Technical Impact: Modify application data The integrity of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
Accountability Non-Repudiation	Technical Impact: Hide activities If the cryptographic algorithm is used to ensure the identity of the source of the data (such as digital signatures), then a broken algorithm will compromise this scheme and the source of the data cannot be proven.

Likelihood of Exploit

Medium to High

Detection Methods

Automated Analysis

Automated methods may be useful for recognizing commonly-used libraries or features that have become obsolete.

Effectiveness: Moderate

False negatives may occur if the tool is not aware of the cryptographic libraries in use, or if custom cryptography is being used.

Manual Analysis

This weakness can be detected using tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session.

These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.

Demonstrative Examples

Example 1

These code examples use the Data Encryption Standard (DES). Once considered a strong algorithm, it is now regarded as insufficient for many applications. It has been replaced by Advanced Encryption Standard (AES).

(Bad Code)

Example Languages: C and C++

EVP_des_ecb();

(Bad Code)

Example Language: Java

Cipher des=Cipher.getInstance("DES...");

des.initEncrypt(key2);

(Bad Code)

Example Language: PHP

function encryptPassword($password){

$iv_size = mcrypt_get_iv_size(MCRYPT_DES, MCRYPT_MODE_ECB);

$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);

$key = "This is a password encryption key";

$encryptedPassword = mcrypt_encrypt(MCRYPT_DES, $key, $password, MCRYPT_MODE_ECB, $iv);

return $encryptedPassword;

}

Observed Examples

Reference	Description
CVE-2008-3775	Product uses "ROT-25" to obfuscate the password in the registry.
CVE-2007-4150	product only uses "XOR" to obfuscate sensitive data
CVE-2007-5460	product only uses "XOR" and a fixed key to obfuscate sensitive data
CVE-2005-4860	Product substitutes characters with other characters in a fixed way, and also leaves certain input characters unchanged.
CVE-2002-2058	Attackers can infer private IP addresses by dividing each octet by the MD5 hash of '20'.
CVE-2008-3188	Product uses DES when MD5 has been specified in the configuration, resulting in weaker-than-expected password hashes.
CVE-2005-2946	Default configuration of product uses MD5 instead of stronger algorithms that are available, simplifying forgery of certificates.
CVE-2007-6013	Product uses the hash of a hash for authentication, allowing attackers to gain privileges if they can obtain the original hash.

Potential Mitigations

Phase: Architecture and Design

Strategy: Libraries or Frameworks

Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis.

For example, US government systems require FIPS 140-2 certification.

Do not develop your own cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. Reverse engineering techniques are mature. If your algorithm can be compromised if attackers find out how it works, then it is especially weak.

Periodically ensure that you aren't using obsolete cryptography. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. [R.327.4]

Phase: Architecture and Design

Design your software so that you can replace one cryptographic algorithm with another. This will make it easier to upgrade to stronger algorithms.

Phase: Architecture and Design

Carefully manage and protect cryptographic keys (see CWE-320). If the keys can be guessed or stolen, then the strength of the cryptography itself is irrelevant.

Phase: Architecture and Design

Strategy: Libraries or Frameworks

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Industry-standard implementations will save you development time and may be more likely to avoid errors that can occur during implementation of cryptographic algorithms. Consider the ESAPI Encryption feature.

Phases: Implementation; Architecture and Design

When you use industry-approved techniques, you need to use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.

Background Details

Cryptographic algorithms are the methods by which data is scrambled. There are a small number of well-understood and heavily studied algorithms that should be used by most applications. It is quite difficult to produce a secure algorithm, and even high profile algorithms by accomplished cryptographic experts have been broken.

Since the state of cryptography advances so rapidly, it is common for an algorithm to be considered "unsafe" even if it was once thought to be strong. This can happen when new attacks against the algorithm are discovered, or if computing power increases so much that the cryptographic algorithm no longer provides the amount of protection that was originally thought.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	310	Cryptographic Issues	Development Concepts (primary)699
ChildOf	Weakness Class	693	Protection Mechanism Failure	Research Concepts (primary)1000
ChildOf	Category	729	OWASP Top Ten 2004 Category A8 - Insecure Storage	Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOf	Category	753	2009 Top 25 - Porous Defenses	Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)750
ChildOf	Category	803	2010 Top 25 - Porous Defenses	Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)800
ChildOf	Category	816	OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage	Weaknesses in OWASP Top Ten (2010) (primary)809
ChildOf	Category	861	CERT Java Secure Coding Section 49 - Miscellaneous (MSC)	Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOf	Category	866	2011 Top 25 - Porous Defenses	Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors (primary)900
ChildOf	Category	883	CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)	Weaknesses Addressed by the CERT C++ Secure Coding Standard (primary)868
PeerOf	Weakness Base	311	Missing Encryption of Sensitive Data	Research Concepts1000
ParentOf	Weakness Base	328	Reversible One-Way Hash	Research Concepts (primary)1000
ParentOf	Weakness Class	759	Use of a One-Way Hash without a Salt	Research Concepts (primary)1000
ParentOf	Weakness Class	760	Use of a One-Way Hash with a Predictable Salt	Research Concepts (primary)1000
ParentOf	Weakness Variant	780	Use of RSA Algorithm without OAEP	Research Concepts (primary)1000
CanFollow	Weakness Base	208	Information Exposure Through Timing Discrepancy	Research Concepts1000
PeerOf	Weakness Variant	301	Reflection Attack in an Authentication Protocol	Research Concepts1000

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CLASP			Using a broken or risky cryptographic algorithm
OWASP Top Ten 2004	A8	CWE_More_Specific	Insecure Storage
CERT Java Secure Coding	MSC01-J		Do not use insecure or weak cryptographic algorithms
CERT Java Secure Coding	MSC02-J		Generate strong random numbers
CERT C++ Secure Coding	MSC30-CPP		Do not use the rand() function for generating pseudorandom numbers
CERT C++ Secure Coding	MSC32-CPP		Ensure your random number generator is properly seeded

Related Attack Patterns

CAPEC-ID	Attack Pattern Name	(CAPEC Version: 1.6)
20	Encryption Brute Forcing
97	Cryptanalysis

References

[R.327.1] [REF-6] Bruce Schneier. "Applied Cryptography". John Wiley & Sons. 1996. <http://www.schneier.com/book-applied.html>.

[R.327.2] Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone. "Handbook of Applied Cryptography". October 1996. <http://www.cacr.math.uwaterloo.ca/hac/>.

[R.327.3] [REF-10] C Matthew Curtin. "Avoiding bogus encryption products: Snake Oil FAQ". 1998-04-10. <http://www.faqs.org/faqs/cryptography-faq/snake-oil/>.

[R.327.4] [REF-1] Information Technology Laboratory, National Institute of Standards and Technology. "SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES". 2001-05-25. <http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf>.

[R.327.5] Paul F. Roberts. "Microsoft Scraps Old Encryption in New Code". 2005-09-15. <http://www.eweek.com/c/a/Security/Microsoft-Scraps-Old-Encryption-in-New-Code/>.

[R.327.6] [REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 8, "Cryptographic Foibles" Page 259. 2nd Edition. Microsoft. 2002.

[R.327.7] [REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 21: Using the Wrong Cryptography." Page 315. McGraw-Hill. 2010.

[R.327.8] Johannes Ullrich. "Top 25 Series - Rank 24 - Use of a Broken or Risky Cryptographic Algorithm". SANS Software Security Institute. 2010-03-25. <http://blogs.sans.org/appsecstreetfighter/2010/03/25/top-25-series-rank-24-use-of-a-broken-or-risky-cryptographic-algorithm/>.

Maintenance Notes

Relationships between CWE-310, CWE-326, and CWE-327 and all their children need to be reviewed and reorganized.

Content History

Submissions
Submission Date	Submitter	Organization	Source
	CLASP		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-08-15		Veracode	External
2008-08-15	Suggested OWASP Top Ten 2004 mapping
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Background_Details, Common_Consequences, Description, Relationships, Taxonomy_Mappings
2009-01-12	CWE Content Team	MITRE	Internal
2009-01-12	updated Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References, Relationships
2009-03-10	CWE Content Team	MITRE	Internal
2009-03-10	updated Potential_Mitigations
2009-07-27	CWE Content Team	MITRE	Internal
2009-07-27	updated Maintenance_Notes, Relationships
2009-10-29	CWE Content Team	MITRE	Internal
2009-10-29	updated Relationships
2009-12-28	CWE Content Team	MITRE	Internal
2009-12-28	updated References
2010-02-16	CWE Content Team	MITRE	Internal
2010-02-16	updated Detection_Factors, References, Relationships
2010-04-05	CWE Content Team	MITRE	Internal
2010-04-05	updated Applicable_Platforms, Potential_Mitigations, Related_Attack_Patterns
2010-06-21	CWE Content Team	MITRE	Internal
2010-06-21	updated Common_Consequences, Detection_Factors, Potential_Mitigations, References, Relationships
2010-09-27	CWE Content Team	MITRE	Internal
2010-09-27	updated Potential_Mitigations, Relationships
2011-03-29	CWE Content Team	MITRE	Internal
2011-03-29	updated Demonstrative_Examples, Description
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Relationships, Taxonomy_Mappings
2011-06-27	CWE Content Team	MITRE	Internal
2011-06-27	updated Relationships
2011-09-13	CWE Content Team	MITRE	Internal
2011-09-13	updated Potential_Mitigations, Relationships, Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2008-04-11	Using a Broken or Risky Cryptographic Algorithm

Page Last Updated: September 12, 2011


	CWE is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us