Key Management Errors
Category ID: 320 (Category)Status: Draft
+ Description

Description Summary

Weaknesses in this category are related to errors in the management of cryptographic keys.
+ Applicable Platforms

Languages

All

+ Observed Examples
ReferenceDescription
CVE-2005-2146insecure permissions when generating secret key, allowing spoofing
CVE-2001-1527administration passwords in cleartext in executable
CVE-2000-0762default installation of product uses a default encryption key, allowing others to spoof the administrator
CVE-2002-1947static key / global shared key -- "global shared key" - product uses same SSL key for all installations, allowing attackers to eavesdrop or hijack session.
CVE-2005-4002static key / global shared key -- "global shared key" - product uses same secret key for all installations, allowing attackers to decrypt data.
CVE-2005-2196static key / global shared key -- Product uses default WEP key when not connected to a known or trusted network, which can cause it to automatically connect to a malicious network. Overlaps: default.
CVE-2005-1794Exposed or accessible private key (overlaps information leak) -- Private key stored in executable
CVE-2001-0072Exposed or accessible private key (overlaps information leak) -- Crypto program imports both public and private keys but does not tell the user about the private keys, possibly breaking the web of trust.
CVE-2005-3256Misc -- SecurityDatabase\Encrypt\Encryption product accidentally selects the wrong key if the key doesn't have additional fields that are normally expected, leading to infoleak to the owner of that wrong key
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory310Cryptographic Issues
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base321Use of Hard-coded Cryptographic Key
Development Concepts699
ParentOfWeakness BaseWeakness Base322Key Exchange without Entity Authentication
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base323Reusing a Nonce, Key Pair in SecurityDatabase\Encrypt\Encryption
Development Concepts (primary)699
ParentOfWeakness BaseWeakness Base324Use of a Key Past its Expiration Date
Development Concepts (primary)699
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERKey Management Errors
+ Maintenance Notes

This category should probably be split into multiple sub-categories.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Maintenance Notes, Relationships, Taxonomy Mappings