Use of Hard-coded Cryptographic Key |
Weakness ID: 321 (Weakness Base) | Status: Draft |
Description Summary
Scope | Effect |
---|---|
Authentication | If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. |
Example 1
The following code examples attempt to verify a password using a hard-coded cryptographic key. The cryptographic key is within a hard-coded string value that is compared to the password and a true or false value is returned for verification that the password is equivalent to the hard-coded cryptographic key.
Phase: Architecture and Design Prevention schemes mirror that of hard-coded password storage. |
The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 320 | Key Management Errors | Development Concepts699 |
ChildOf | Weakness Base | 344 | Use of Invariant Value in Dynamically Changing Context | Research Concepts1000 |
ChildOf | Weakness Class | 671 | Lack of Administrator Control over Security | Research Concepts1000 |
ChildOf | Category | 719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage | Weaknesses in OWASP Top Ten (2007) (primary)629 |
ChildOf | Category | 720 | OWASP Top Ten 2007 Category A9 - Insecure Communications | Weaknesses in OWASP Top Ten (2007)629 |
ChildOf | Category | 729 | OWASP Top Ten 2004 Category A8 - Insecure Storage | Weaknesses in OWASP Top Ten (2004) (primary)711 |
ChildOf | Weakness Base | 798 | Use of Hard-coded Credentials | Development Concepts (primary)699 Research Concepts (primary)1000 |
CanFollow | Weakness Base | 656 | Reliance on Security through Obscurity | Research Concepts1000 |
PeerOf | Weakness Base | 259 | Use of Hard-coded Password | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
CLASP | Use of hard-coded cryptographic key | ||
OWASP Top Ten 2007 | A8 | CWE More Specific | Insecure Cryptographic Storage |
OWASP Top Ten 2007 | A9 | CWE More Specific | Insecure Communications |
OWASP Top Ten 2004 | A8 | CWE More Specific | Insecure Storage |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
CLASP | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-08-15 | Veracode | External | ||
Suggested OWASP Top Ten 2004 mapping | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Demonstrative Examples |