CWE-326 – Inadequate Encryption Strength

Read Time:57 Second

Description

The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-693

 

Consequences

Access Control, Confidentiality: Bypass Protection Mechanism, Read Application Data

An attacker may be able to decrypt the data using brute force attacks.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Use an encryption scheme that is currently considered to be strong by experts in the field.

CVE References

  • CVE-2002-1697
    • Weak encryption produces same ciphertext from the same plaintext blocks.
  • CVE-2002-1975
    • Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).