Inadequate SecurityDatabase\Encrypt\Encryption Strength |
Weakness ID: 326 (Weakness Class) | Status: Draft |
Description Summary
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Extended Description
A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.
Scope | Effect |
---|---|
Confidentiality | An attacker may be able to decrypt the data using brute force attacks. |
Reference | Description |
---|---|
CVE-2001-1546 | Weak encryption |
CVE-2004-2172 | Weak encryption (chosen plaintext attack) |
CVE-2002-1682 | Weak encryption |
CVE-2002-1697 | Weak encryption produces same ciphertext from the same plaintext blocks. |
CVE-2002-1739 | Weak encryption |
CVE-2005-2281 | Weak encryption scheme |
CVE-2002-1872 | Weak encryption (XOR) |
CVE-2002-1910 | Weak encryption (reversible algorithm). |
CVE-2002-1946 | Weak encryption (one-to-one mapping). |
CVE-2002-1975 | SecurityDatabase\Encrypt\Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness). |
Phase: Architecture and Design Use a cryptographic algorithm that is currently considered to be strong by experts in the field. |
Nature | Type | ID | Name | View(s) this relationship pertains to![]() |
---|---|---|---|---|
ChildOf | ![]() | 310 | Cryptographic Issues | Development Concepts (primary)699 |
ChildOf | ![]() | 693 | Protection Mechanism Failure | Research Concepts (primary)1000 |
ChildOf | ![]() | 719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage | Weaknesses in OWASP Top Ten (2007) (primary)629 |
ChildOf | ![]() | 720 | OWASP Top Ten 2007 Category A9 - Insecure Communications | Weaknesses in OWASP Top Ten (2007)629 |
ChildOf | ![]() | 729 | OWASP Top Ten 2004 Category A8 - Insecure Storage | Weaknesses in OWASP Top Ten (2004) (primary)711 |
ParentOf | ![]() | 261 | Weak Cryptography for Passwords | Development Concepts699 Research Concepts (primary)1000 |
ParentOf | ![]() | 328 | Reversible One-Way Hash | Research Concepts1000 |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | Weak SecurityDatabase\Encrypt\Encryption | ||
OWASP Top Ten 2007 | A8 | CWE More Specific | Insecure Cryptographic Storage |
OWASP Top Ten 2007 | A9 | CWE More Specific | Insecure Communications |
OWASP Top Ten 2004 | A8 | CWE More Specific | Insecure Storage |
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 8, "Cryptographic Foibles" Page 259. 2nd Edition. Microsoft. 2002. |
A variety of encryption algorithms exist, with various weaknesses. This category could probably be split into smaller sub-categories. |
Relationships between CWE-310, CWE-326, and CWE-327 and all their children need to be reviewed and reorganized. |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-08-15 | Veracode | External | ||
Suggested OWASP Top Ten 2004 mapping | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Maintenance Notes, Relationships, Taxonomy Mappings | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Related Attack Patterns | ||||
2009-07-08 (Critical) | CWE Content Team | MITRE | Internal | |
Clarified entry to focus on algorithms that do not have major weaknesses, but may not be strong enough for some purposes. | ||||
2009-07-27 | CWE Content Team | MITRE | Internal | |
updated Common Consequences, Description, Maintenance Notes, Name | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Relationships | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2009-07-27 | Weak SecurityDatabase\Encrypt\Encryption | |||