CWE-326 – Inadequate Encryption Strength

Description

The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

Modes of Introduction:

– Architecture and Design

Related Weaknesses

CWE-693

Consequences

Access Control, Confidentiality: Bypass Protection Mechanism, Read Application Data

An attacker may be able to decrypt the data using brute force attacks.

Potential Mitigations

Phase: Architecture and Design

Description: 

Use an encryption scheme that is currently considered to be strong by experts in the field.

CVE References

• CVE-2001-1546
  • Weak encryption

• CVE-2004-2172
  • Weak encryption (chosen plaintext attack)

• CVE-2002-1682
  • Weak encryption

• CVE-2002-1697
  • Weak encryption produces same ciphertext from the same plaintext blocks.

• CVE-2002-1739
  • Weak encryption

• CVE-2005-2281
  • Weak encryption scheme

• CVE-2002-1872
  • Weak encryption (XOR)

• CVE-2002-1910
  • Weak encryption (reversible algorithm).

• CVE-2002-1946
  • Weak encryption (one-to-one mapping).

• CVE-2002-1975
  • Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).