CWE-321 使用硬编码的密码学密钥
Use of Hard-coded Cryptographic Key
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: High
基本描述
The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 798 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 798 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Access Control | ['Bypass Protection Mechanism', 'Gain Privileges or Assume Identity'] | If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question. |
可能的缓解方案
Architecture and Design
策略:
Prevention schemes mirror that of hard-coded password storage.
示例代码
例
The following code examples attempt to verify a password using a hard-coded cryptographic key.
bad C
printf("Incorrect Password!\n");
return(0);
printf("Entering Diagnostic Mode...\n");
return(1);
bad Java
return true;
System.out.println("Incorrect Password!");
return false;
bad C#
return(1);
Console.WriteLine("Incorrect Password!");
return(0);
The cryptographic key is within a hard-coded string value that is compared to the password. It is likely that an attacker will be able to read the key and compromise the system.
Notes
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CLASP | Use of hard-coded cryptographic key | ||
| OWASP Top Ten 2007 | A8 | CWE More Specific | Insecure Cryptographic Storage |
| OWASP Top Ten 2007 | A9 | CWE More Specific | Insecure Communications |
| OWASP Top Ten 2004 | A8 | CWE More Specific | Insecure Storage |
| Software Fault Patterns | SFP33 | Hardcoded sensitive data |