Category:Cryptographic Vulnerability

From OWASP

Jump to: navigation, search

This category is for tagging vulnerabilities that related to cryptographic modules.

Examples

Algorithm Problems
- Insecure Algorithm
  - Use algorithms that are proven flawed or weak (DES, MD5)
  - Use non-standard (home-grown) algorithms
- Choose the wrong algorithm
  - Use hash function for encryption
  - Use encryption algorithm for hashing
- Inappropriate use of an algorithm
  - Use insecure encryption modes (DES EBC)
  - Initial vector is not random
- Implementation errors
  - Use non-standard cryptographic implementations/libraries
Key Management Problems
- Weak keys
  - Too short or not random enough
  - Use human chosen passwords as cryptographic keys
- Key disclosure
  - Keys not encrypted during storage or transmission
  - Keys not cleaned appropriately after use
  - Keys Hard-coded in the code or stored in configuration files
- Key updates
  - Allow keys aging
Random Number Generator (RNG) Problems
- Poor random number generators (c: rand(), Java: java.util.Random())
- Forget to seed the random number generator
- Use the same seed for the random number generator every time

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.

Pages in category "Cryptographic Vulnerability"

The following 14 pages are in this category, out of 14 total.

F

Failure to encrypt data

I

K

Key exchange without entity authentication

N

P

R

Reusing a nonce, key pair in encryption

T

Testing for SSL-TLS (OWASP-CM-001)

U

Retrieved from "http://www.owasp.org/index.php/Category:Cryptographic_Vulnerability"

Categories: Vulnerability | Stub

Views

Personal tools

Log in

search

Reference

Language

Toolbox