CWE-324 使用已过期的密钥
Use of a Key Past its Expiration Date
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: Low
基本描述
The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.
扩展描述
While the expiration of keys does not necessarily ensure that they are compromised, it is a significant concern that keys which remain in use for prolonged periods of time have a decreasing probability of integrity. For this reason, it is important to replace keys within a period of time proportional to their strength.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 672 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: PeerOf cwe_CWE_ID: 298 cwe_View_ID: 1000
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Access Control | ['Bypass Protection Mechanism', 'Gain Privileges or Assume Identity'] | The cryptographic key in question may be compromised, providing a malicious user with a method for authenticating as the victim. |
可能的缓解方案
Architecture and Design
策略:
Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible.
示例代码
例
The following code attempts to verify that a certificate is valid.
bad C
if ((X509_V_OK==foo) || (X509_V_ERRCERT_NOT_YET_VALID==foo))
//do stuff
The code checks if the certificate is not yet valid, but it fails to check if a certificate is past its expiration date, thus treating expired certificates as valid.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CLASP | Using a key past its expiration date |