Missing Required Cryptographic Step |
Weakness ID: 325 (Weakness Base) | Status: Incomplete |
Description Summary
The software does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by that algorithm.
Extended Description
Cryptographic implementations should follow the algorithms that define them exactly, otherwise encryption can be weaker than expected.
Developers sometimes omit certain "expensive" (resource-intensive) steps in order to improve performance, especially in devices with limited memory or CPU cycles. This could be done under a mistaken impression that the step is unnecessary for preserving security. Alternately, the developer might adopt a threat model that is inconsistent with that of its consumers by accepting a risk for which the remaining protection seems "good enough." |
This issue can be introduced when the requirements for the algorithm are not clearly stated. |
Reference | Description |
---|---|
CVE-2001-1585 | Missing challenge-response step allows authentication bypass using public key. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Category | 310 | Cryptographic Issues | Development Concepts (primary)699 |
ChildOf | Weakness Class | 573 | Failure to Follow Specification | Research Concepts (primary)1000 |
ChildOf | Category | 719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage | Weaknesses in OWASP Top Ten (2007) (primary)629 |
ChildOf | Category | 720 | OWASP Top Ten 2007 Category A9 - Insecure Communications | Weaknesses in OWASP Top Ten (2007)629 |
PeerOf | Weakness Base | 358 | Improperly Implemented Security Check for Standard | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Missing Required Cryptographic Step | ||
OWASP Top Ten 2007 | A8 | CWE More Specific | Insecure Cryptographic Storage |
OWASP Top Ten 2007 | A9 | CWE More Specific | Insecure Communications |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
68 | Subvert Code-signing Facilities |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Description, Functional Areas, Modes of Introduction, Relationships, Observed Example, Relationship Notes, Taxonomy Mappings |