CWE-326 不充分的加密强度
Inadequate Encryption Strength
结构: Simple
Abstraction: Class
状态: Draft
被利用可能性: unkown
基本描述
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
扩展描述
A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.
相关缺陷
- cwe_Nature: ChildOf cwe_CWE_ID: 693 cwe_View_ID: 1000 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Access Control', 'Confidentiality'] | ['Bypass Protection Mechanism', 'Read Application Data'] | An attacker may be able to decrypt the data using brute force attacks. |
可能的缓解方案
Architecture and Design
策略:
Use a cryptographic algorithm that is currently considered to be strong by experts in the field.
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2001-1546 | Weak encryption | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1546 |
| CVE-2004-2172 | Weak encryption (chosen plaintext attack) | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2172 |
| CVE-2002-1682 | Weak encryption | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1682 |
| CVE-2002-1697 | Weak encryption produces same ciphertext from the same plaintext blocks. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1697 |
| CVE-2002-1739 | Weak encryption | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1739 |
| CVE-2005-2281 | Weak encryption scheme | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2281 |
| CVE-2002-1872 | Weak encryption (XOR) | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1872 |
| CVE-2002-1910 | Weak encryption (reversible algorithm). | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1910 |
| CVE-2002-1946 | Weak encryption (one-to-one mapping). | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1946 |
| CVE-2002-1975 | Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness). | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1975 |
Notes
Maintenance A variety of encryption algorithms exist, with various weaknesses. This category could probably be split into smaller sub-categories. Maintenance Relationships between CWE-310, CWE-326, and CWE-327 and all their children need to be reviewed and reorganized.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Weak Encryption | ||
| OWASP Top Ten 2007 | A8 | CWE More Specific | Insecure Cryptographic Storage |
| OWASP Top Ten 2007 | A9 | CWE More Specific | Insecure Communications |
| OWASP Top Ten 2004 | A8 | CWE More Specific | Insecure Storage |
相关攻击模式
- CAPEC-112
- CAPEC-192
- CAPEC-20