Inadequate Encryption Strength
Weakness ID: 326 (Weakness Class)Status: Draft
+ Description

Description Summary

The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Extended Description

A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Confidentiality

An attacker may be able to decrypt the data using brute force attacks.

+ Observed Examples
ReferenceDescription
CVE-2001-1546Weak encryption
CVE-2004-2172Weak encryption (chosen plaintext attack)
CVE-2002-1682Weak encryption
CVE-2002-1697Weak encryption produces same ciphertext from the same plaintext blocks.
CVE-2002-1739Weak encryption
CVE-2005-2281Weak encryption scheme
CVE-2002-1872Weak encryption (XOR)
CVE-2002-1910Weak encryption (reversible algorithm).
CVE-2002-1946Weak encryption (one-to-one mapping).
CVE-2002-1975Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).
+ Potential Mitigations

Phase: Architecture and Design

Use a cryptographic algorithm that is currently considered to be strong by experts in the field.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory310Cryptographic Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
ChildOfCategoryCategory719OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory720OWASP Top Ten 2007 Category A9 - Insecure Communications
Weaknesses in OWASP Top Ten (2007)629
ChildOfCategoryCategory729OWASP Top Ten 2004 Category A8 - Insecure Storage
Weaknesses in OWASP Top Ten (2004) (primary)711
ParentOfWeakness VariantWeakness Variant261Weak Cryptography for Passwords
Development Concepts699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base328Reversible One-Way Hash
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERWeak Encryption
OWASP Top Ten 2007A8CWE More SpecificInsecure Cryptographic Storage
OWASP Top Ten 2007A9CWE More SpecificInsecure Communications
OWASP Top Ten 2004A8CWE More SpecificInsecure Storage
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
20Encryption Brute Forcing
112Brute Force
+ References
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 8, "Cryptographic Foibles" Page 259. 2nd Edition. Microsoft. 2002.
+ Maintenance Notes

A variety of encryption algorithms exist, with various weaknesses. This category could probably be split into smaller sub-categories.

Relationships between CWE-310, CWE-326, and CWE-327 and all their children need to be reviewed and reorganized.

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-08-15VeracodeExternal
Suggested OWASP Top Ten 2004 mapping
2008-09-08CWE Content TeamMITREInternal
updated Maintenance Notes, Relationships, Taxonomy Mappings
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2009-05-27CWE Content TeamMITREInternal
updated Related Attack Patterns
2009-07-08
(Critical)
CWE Content TeamMITREInternal
Clarified entry to focus on algorithms that do not have major weaknesses, but may not be strong enough for some purposes.
2009-07-27CWE Content TeamMITREInternal
updated Common Consequences, Description, Maintenance Notes, Name
2009-10-29CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2009-07-27Weak Encryption