Use of a Key Past its Expiration Date
Weakness ID: 324 (Weakness Base)Status: Draft
+ Description

Description Summary

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.
+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Authentication

The cryptographic key in question may be compromised, providing a malicious user with a method for authenticating as the victim.

+ Likelihood of Exploit

Low

+ Demonstrative Examples

Example 1

(Bad Code)
Example Languages: C and C++ 
if (!(cert = SSL_get_peer(certificate(ssl)) || !host)
foo=SSL_get_verify_result(ssl);
if ((X509_V_OK==foo) || (X509_V_ERRCERT_NOT_YET_VALID==foo)) //do stuff
+ Potential Mitigations

Phase: Architecture and Design

Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible.

Run time: Users must heed warnings and generate new keys and passwords when they expire.

+ Other Notes

While the expiration of keys does not necessarily ensure that they are compromised, it is a significant concern that keys which remain in use for prolonged periods of time have a decreasing probability of integrity. For this reason, it is important to replace keys within a period of time proportional to their strength.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory320Key Management Errors
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base672Operation on a Resource after Expiration or Release
Research Concepts (primary)1000
PeerOfWeakness BaseWeakness Base298Improper Validation of Certificate Expiration
Research Concepts1000
PeerOfWeakness VariantWeakness Variant262Not Using Password Aging
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPUsing a key past its expiration date
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative Examples
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Using a Key Past its Expiration Date
Back to top