This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Using a broken or risky cryptographic algorithm"
From OWASP
Weilin Zhong (talk | contribs) |
|||
| Line 1: | Line 1: | ||
{{Template:SecureSoftware}} | {{Template:SecureSoftware}} | ||
| + | {{Template:Vulnerability}} | ||
| − | + | [[Category:FIXME|This is the text from the old template. This needs to be rewritten using the new template.]] | |
| + | |||
| + | |||
| + | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' | ||
| + | |||
| + | [[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]] | ||
| + | |||
| + | [[ASDR Table of Contents]] | ||
| + | __TOC__ | ||
| − | |||
| − | == | + | ==Description== |
| − | |||
| − | + | The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the disclosure of sensitive information. | |
| − | + | '''Consequences''' | |
| − | + | * Confidentiality: The confidentiality of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm. | |
| + | * Integrity: The integrity of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm. | ||
| + | * Accountability: Any accountability to message content preserved by cryptography may be subject to attack. | ||
| − | + | '''Exposure period''' | |
| − | + | * Design: The decision as to what cryptographic algorithm to utilize is generally made at design time. | |
| − | + | '''Platform''' | |
| − | * Operating platforms: All | + | * Languages: All |
| + | * Operating platforms: All | ||
| − | + | '''Required resources''' | |
Any | Any | ||
| − | + | '''Severity''' | |
High | High | ||
| − | + | '''Likelihood of exploit''' | |
Medium to High | Medium to High | ||
| − | + | Since the state of cryptography advances so rapidly, it is common to find algorithms, which previously were considered to be safe, currently considered unsafe. In some cases, things are discovered, or processing speed increases to the degree that the cryptographic algorithm provides little more benefit than the use of no cryptography at all. | |
| + | |||
| − | |||
| − | == | + | ==Risk Factors== |
| + | |||
| + | TBD | ||
| − | |||
| − | ==Examples == | + | ==Examples== |
In C/C++: | In C/C++: | ||
| Line 56: | Line 67: | ||
Cipher des=Cipher.getInstance("DES...); | Cipher des=Cipher.getInstance("DES...); | ||
des.initEncrypt(key2); | des.initEncrypt(key2); | ||
| − | <pre> | + | </pre> |
| + | |||
| + | |||
| + | ==Related [[Attacks]]== | ||
| + | |||
| + | * [[Attack 1]] | ||
| + | * [[Attack 2]] | ||
| + | |||
| + | |||
| + | ==Related [[Vulnerabilities]]== | ||
| + | |||
| + | * [[Failure to encrypt data]] | ||
| + | |||
| + | |||
| + | |||
| + | ==Related [[Controls]]== | ||
| + | |||
| + | * Design: Use a cryptographic algorithm that is currently considered to be strong by experts in the field. | ||
| + | |||
| + | |||
| + | ==Related [[Technical Impacts]]== | ||
| + | |||
| + | * [[Technical Impact 1]] | ||
| + | * [[Technical Impact 2]] | ||
| + | |||
| + | |||
| + | ==References== | ||
| − | + | TBD | |
| − | |||
| − | + | __NOTOC__ | |
| − | |||
| + | [[Category:OWASP ASDR Project]] | ||
[[Category:Vulnerability]] | [[Category:Vulnerability]] | ||
| − | |||
[[Category:Cryptographic Vulnerability]] | [[Category:Cryptographic Vulnerability]] | ||
Revision as of 14:19, 3 October 2008
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Last revision (mm/dd/yy): 10/3/2008
Vulnerabilities Table of Contents
Description
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the disclosure of sensitive information.
Consequences
- Confidentiality: The confidentiality of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
- Integrity: The integrity of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
- Accountability: Any accountability to message content preserved by cryptography may be subject to attack.
Exposure period
- Design: The decision as to what cryptographic algorithm to utilize is generally made at design time.
Platform
- Languages: All
- Operating platforms: All
Required resources
Any
Severity
High
Likelihood of exploit
Medium to High
Since the state of cryptography advances so rapidly, it is common to find algorithms, which previously were considered to be safe, currently considered unsafe. In some cases, things are discovered, or processing speed increases to the degree that the cryptographic algorithm provides little more benefit than the use of no cryptography at all.
Risk Factors
TBD
Examples
In C/C++:
EVP_des_ecb();
In Java:
Cipher des=Cipher.getInstance("DES...);
des.initEncrypt(key2);
Related Attacks
Related Vulnerabilities
Related Controls
- Design: Use a cryptographic algorithm that is currently considered to be strong by experts in the field.
Related Technical Impacts
References
TBD
