Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE CATEGORY: Key Management Errors

Category ID: 320
Status: Draft
+ Description

Description Summary

Weaknesses in this category are related to errors in the management of cryptographic keys.
+ Applicable Platforms



+ Observed Examples
insecure permissions when generating secret key, allowing spoofing
administration passwords in cleartext in executable
default installation of product uses a default encryption key, allowing others to spoof the administrator
static key / global shared key -- "global shared key" - product uses same SSL key for all installations, allowing attackers to eavesdrop or hijack session.
static key / global shared key -- "global shared key" - product uses same secret key for all installations, allowing attackers to decrypt data.
static key / global shared key -- Product uses default WEP key when not connected to a known or trusted network, which can cause it to automatically connect to a malicious network. Overlaps: default.
Exposed or accessible private key (overlaps information exposure) -- Private key stored in executable
Exposed or accessible private key (overlaps information exposure) -- Crypto program imports both public and private keys but does not tell the user about the private keys, possibly breaking the web of trust.
Misc -- Encryption product accidentally selects the wrong key if the key doesn't have additional fields that are normally expected, allowing the owner of the wrong key to decrypt the data.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory310Cryptographic Issues
Development Concepts (primary)699
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ChildOfCategoryCategory934OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
Weaknesses in OWASP Top Ten (2013) (primary)928
ParentOfWeakness BaseWeakness Base321Use of Hard-coded Cryptographic Key
Development Concepts699
ParentOfWeakness BaseWeakness Base322Key Exchange without Entity Authentication
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base323Reusing a Nonce, Key Pair in Encryption
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base324Use of a Key Past its Expiration Date
Development Concepts (primary)699
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERKey Management Errors
+ Maintenance Notes

This category should probably be split into multiple sub-categories.

+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Maintenance_Notes, Relationships, Taxonomy_Mappings
2011-03-29CWE Content TeamMITREInternal
updated Observed_Examples
2014-06-23CWE Content TeamMITREInternal
updated Relationships
2015-12-07CWE Content TeamMITREInternal
updated Relationships

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017