CWE-324 使用已过期的密钥

Use of a Key Past its Expiration Date

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: Low


The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.


While the expiration of keys does not necessarily ensure that they are compromised, it is a significant concern that keys which remain in use for prolonged periods of time have a decreasing probability of integrity. For this reason, it is important to replace keys within a period of time proportional to their strength.


  • cwe_Nature: ChildOf cwe_CWE_ID: 672 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: PeerOf cwe_CWE_ID: 298 cwe_View_ID: 1000


Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}


范围 影响 注释
Access Control ['Bypass Protection Mechanism', 'Gain Privileges or Assume Identity'] The cryptographic key in question may be compromised, providing a malicious user with a method for authenticating as the victim.


Architecture and Design


Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible.


The following code attempts to verify that a certificate is valid.

bad C

if (cert = SSL_get_peer_certificate(ssl)) {
if ((X509_V_OK==foo) || (X509_V_ERRCERT_NOT_YET_VALID==foo))

//do stuff

The code checks if the certificate is not yet valid, but it fails to check if a certificate is past its expiration date, thus treating expired certificates as valid.


映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Using a key past its expiration date