Use of Hard-coded Cryptographic Key
Weakness ID: 321 (Weakness Base)Status: Draft
+ Description

Description Summary

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Authentication

If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question.

+ Likelihood of Exploit

High

+ Demonstrative Examples

Example 1

The following code examples attempt to verify a password using a hard-coded cryptographic key. The cryptographic key is within a hard-coded string value that is compared to the password and a true or false value is returned for verification that the password is equivalent to the hard-coded cryptographic key.

(Bad Code)
Example Languages: C and C++ 
int VerifyAdmin(char *password) {
if (strcmp(password,"68af404b513073584c4b6f22b6c63e6b")) {

printf("Incorrect Password!\n");
return(0);
}
printf("Entering Diagnostic Mode...\n");
return(1);
}
(Bad Code)
Example Language: Java 
public boolean VerifyAdmin(String password) {
if (password.equals("68af404b513073584c4b6f22b6c63e6b")) {
System.out.println("Entering Diagnostic Mode...");
return true;
}
System.out.println("Incorrect Password!");
return false;
(Bad Code)
Example Language: C# 
int VerifyAdmin(String password) {
if (password.Equals("68af404b513073584c4b6f22b6c63e6b")) {
Console.WriteLine("Entering Diagnostic Mode...");
return(1);
}
Console.WriteLine("Incorrect Password!");
return(0);
}
+ Potential Mitigations

Phase: Architecture and Design

Prevention schemes mirror that of hard-coded password storage.

+ Other Notes

The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys. Many people believe that simply hashing a hard-coded password before storage will protect the information from malicious users. However, many hashes are reversible (or at least vulnerable to brute force attacks) -- and further, many authentication protocols simply request the hash itself, making it no better than a password.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory320Key Management Errors
Development Concepts699
ChildOfWeakness BaseWeakness Base344Use of Invariant Value in Dynamically Changing Context
Research Concepts1000
ChildOfWeakness ClassWeakness Class671Lack of Administrator Control over Security
Research Concepts1000
ChildOfCategoryCategory719OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory720OWASP Top Ten 2007 Category A9 - Insecure Communications
Weaknesses in OWASP Top Ten (2007)629
ChildOfCategoryCategory729OWASP Top Ten 2004 Category A8 - Insecure Storage
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfWeakness BaseWeakness Base798Use of Hard-coded Credentials
Development Concepts (primary)699
Research Concepts (primary)1000
CanFollowWeakness BaseWeakness Base656Reliance on Security through Obscurity
Research Concepts1000
PeerOfWeakness BaseWeakness Base259Use of Hard-coded Password
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPUse of hard-coded cryptographic key
OWASP Top Ten 2007A8CWE More SpecificInsecure Cryptographic Storage
OWASP Top Ten 2007A9CWE More SpecificInsecure Communications
OWASP Top Ten 2004A8CWE More SpecificInsecure Storage
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-08-15VeracodeExternal
Suggested OWASP Top Ten 2004 mapping
2008-09-08CWE Content TeamMITREInternal
updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative Examples