{"@ID": "326", "@Name": "Inadequate Encryption Strength", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Draft", "Description": "The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.", "Extended_Description": "A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.", "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "693", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Architecture and Design", "Note": "COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic."}}, "Common_Consequences": {"Consequence": {"Scope": ["Access Control", "Confidentiality"], "Impact": ["Bypass Protection Mechanism", "Read Application Data"], "Note": "An attacker may be able to decrypt the data using brute force attacks."}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Architecture and Design", "Description": "Use an encryption scheme that is currently considered to be strong by experts in the field."}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2001-1546", "Description": "Weak encryption", "Link": "https://www.cve.org/CVERecord?id=CVE-2001-1546"}, {"Reference": "CVE-2004-2172", "Description": "Weak encryption (chosen plaintext attack)", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-2172"}, {"Reference": "CVE-2002-1682", "Description": "Weak encryption", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1682"}, {"Reference": "CVE-2002-1697", "Description": "Weak encryption produces same ciphertext from the same plaintext blocks.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1697"}, {"Reference": "CVE-2002-1739", "Description": "Weak encryption", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1739"}, {"Reference": "CVE-2005-2281", "Description": "Weak encryption scheme", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-2281"}, {"Reference": "CVE-2002-1872", "Description": "Weak encryption (XOR)", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1872"}, {"Reference": "CVE-2002-1910", "Description": "Weak encryption (reversible algorithm).", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1910"}, {"Reference": "CVE-2002-1946", "Description": "Weak encryption (one-to-one mapping).", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1946"}, {"Reference": "CVE-2002-1975", "Description": "Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1975"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Weak Encryption"}, {"@Taxonomy_Name": "OWASP Top Ten 2007", "Entry_ID": "A8", "Entry_Name": "Insecure Cryptographic Storage", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "OWASP Top Ten 2007", "Entry_ID": "A9", "Entry_Name": "Insecure Communications", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "OWASP Top Ten 2004", "Entry_ID": "A8", "Entry_Name": "Insecure Storage", "Mapping_Fit": "CWE More Specific"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "112"}, {"@CAPEC_ID": "192"}, {"@CAPEC_ID": "20"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-7", "@Section": "Chapter 8, \"Cryptographic Foibles\" Page 259"}, {"@External_Reference_ID": "REF-44", "@Section": "\"Sin 21: Using the Wrong Cryptography.\" Page 315"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review", "Rationale": "This CWE entry is a Class and might have Base-level children that would be more appropriate", "Comments": "Examine children of this entry to see if there is a better fit", "Reasons": {"Reason": {"@Type": "Abstraction"}}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Organization": "Veracode", "Modification_Date": "2008-08-15", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "Suggested OWASP Top Ten 2004 mapping"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Maintenance_Notes, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-03-10", "Modification_Version": "1.3", "Modification_ReleaseDate": "2009-03-10", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-07-08", "Modification_Version": "1.5", "Modification_ReleaseDate": "2009-07-27", "Modification_Importance": "Critical", "Modification_Comment": "Clarified entry to focus on algorithms that do not have major weaknesses, but may not be strong enough for some purposes."}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-07-27", "Modification_Version": "1.5", "Modification_ReleaseDate": "2009-07-27", "Modification_Comment": "updated Common_Consequences, Description, Maintenance_Notes, Name"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-10-29", "Modification_Version": "1.6", "Modification_ReleaseDate": "2009-10-29", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-06-21", "Modification_Version": "1.9", "Modification_ReleaseDate": "2010-06-21", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2013-07-17", "Modification_Version": "2.5", "Modification_ReleaseDate": "2013-07-17", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2015-12-07", "Modification_Version": "2.9", "Modification_ReleaseDate": "2015-12-07", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Modes_of_Introduction, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2018-03-27", "Modification_Version": "3.1", "Modification_ReleaseDate": "2018-03-27", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Maintenance_Notes, Potential_Mitigations, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Relationships, Weakness_Ordinalities"}], "Previous_Entry_Name": {"@Date": "2009-07-27", "#text": "Weak Encryption"}}}
