# Category:Cryptographic Vulnerability

From OWASP

This category is for tagging vulnerabilities that related to cryptographic modules.

## Examples

- Algorithm Problems
- Insecure Algorithm
- Use algorithms that are proven flawed or weak (DES, 3DES, MD5, Sha1, AES, Blowfish, Diffie Hellman)
- Use non-standard (home-grown) algorithms

- Choose the wrong algorithm
- Use hash function for encryption
- Use encryption algorithm for hashing

- Inappropriate use of an algorithm
- Use insecure encryption modes (DES EBC)
- Initial vector is not random

- Implementation errors
- Use non-standard cryptographic implementations/libraries

- Insecure Algorithm
- Key Management Problems
- Weak keys
- Too short or not random enough
- Use human chosen passwords as cryptographic keys

- Key disclosure
- Keys not encrypted during storage or transmission
- Keys not cleaned appropriately after use
- Keys Hard-coded in the code or stored in configuration files

- Key updates
- Allow keys aging

- Weak keys
- Random Number Generator (RNG) Problems
- Poor random number generators (c: rand(), Java: java.util.Random())
- Forget to seed the random number generator
- Use the same seed for the random number generator every time
- Sniffing

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.

## Pages in category "Cryptographic Vulnerability"

The following 9 pages are in this category, out of 9 total.