CWE-326 不充分的加密强度

Inadequate Encryption Strength

结构: Simple

Abstraction: Class

状态: Draft

被利用可能性: unkown

基本描述

The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

扩展描述

A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 693 cwe_View_ID: 1000 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
['Access Control', 'Confidentiality'] ['Bypass Protection Mechanism', 'Read Application Data'] An attacker may be able to decrypt the data using brute force attacks.

可能的缓解方案

Architecture and Design

策略:

Use a cryptographic algorithm that is currently considered to be strong by experts in the field.

分析过的案例

标识 说明 链接
CVE-2001-1546 Weak encryption https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1546
CVE-2004-2172 Weak encryption (chosen plaintext attack) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2172
CVE-2002-1682 Weak encryption https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1682
CVE-2002-1697 Weak encryption produces same ciphertext from the same plaintext blocks. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1697
CVE-2002-1739 Weak encryption https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1739
CVE-2005-2281 Weak encryption scheme https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2281
CVE-2002-1872 Weak encryption (XOR) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1872
CVE-2002-1910 Weak encryption (reversible algorithm). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1910
CVE-2002-1946 Weak encryption (one-to-one mapping). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1946
CVE-2002-1975 Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1975

Notes

Maintenance A variety of encryption algorithms exist, with various weaknesses. This category could probably be split into smaller sub-categories. Maintenance Relationships between CWE-310, CWE-326, and CWE-327 and all their children need to be reviewed and reorganized.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Weak Encryption
OWASP Top Ten 2007 A8 CWE More Specific Insecure Cryptographic Storage
OWASP Top Ten 2007 A9 CWE More Specific Insecure Communications
OWASP Top Ten 2004 A8 CWE More Specific Insecure Storage

相关攻击模式

  • CAPEC-112
  • CAPEC-192
  • CAPEC-20

引用