CWE-324 使用已过期的密钥

Use of a Key Past its Expiration Date

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: Low

基本描述

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

扩展描述

While the expiration of keys does not necessarily ensure that they are compromised, it is a significant concern that keys which remain in use for prolonged periods of time have a decreasing probability of integrity. For this reason, it is important to replace keys within a period of time proportional to their strength.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 672 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: PeerOf cwe_CWE_ID: 298 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Access Control ['Bypass Protection Mechanism', 'Gain Privileges or Assume Identity'] The cryptographic key in question may be compromised, providing a malicious user with a method for authenticating as the victim.

可能的缓解方案

Architecture and Design

策略:

Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible.

示例代码

The following code attempts to verify that a certificate is valid.

bad C

if (cert = SSL_get_peer_certificate(ssl)) {
foo=SSL_get_verify_result(ssl);
if ((X509_V_OK==foo) || (X509_V_ERRCERT_NOT_YET_VALID==foo))

//do stuff
}

The code checks if the certificate is not yet valid, but it fails to check if a certificate is past its expiration date, thus treating expired certificates as valid.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Using a key past its expiration date

引用