用户工具

站点工具


cwe:cn:definition:326

CWE-326:不充分的加密强度

Description Summary

The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Extended Description

A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

Common Consequences

Scope Technical Impace Note
Access_Control
Confidentiality
Bypass protection mechanism
Read application data
An attacker may be able to decrypt the data using brute force attacks.

Potential Mitigations

Mitigation - 1

Architecture and Design

Use a cryptographic algorithm that is currently considered to be strong by experts in the field.

Maintenance Notes

Maintenance Note - 1

A variety of encryption algorithms exist, with various weaknesses. This category could probably be split into smaller sub-categories.

Maintenance Note - 2

Relationships between CWE-310, CWE-326, and CWE-327 and all their children need to be reviewed and reorganized.

Observed Examples

Reference Description
CVE-2001-1546Weak encryption
CVE-2004-2172Weak encryption (chosen plaintext attack)
CVE-2002-1682Weak encryption
CVE-2002-1697Weak encryption produces same ciphertext from the same plaintext blocks.
CVE-2002-1739Weak encryption
CVE-2005-2281Weak encryption scheme
CVE-2002-1872Weak encryption (XOR)
CVE-2002-1910Weak encryption (reversible algorithm).
CVE-2002-1946Weak encryption (one-to-one mapping).
CVE-2002-1975Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).
cwe/cn/definition/326.txt · 最后更改: 2014/09/04 14:32 (外部编辑)