Category:Cryptographic Vulnerability

Revision as of 14:45, 15 September 2006 by Weilin Zhong (talk | contribs) (Examples)

Jump to: navigation, search

This category is for tagging vulnerabilities that related to cryptographic modules.


  • Algorithm Problems
    • Insecure Algorithm
      • Use algorithms that are proven flawed or weak (DES, MD5)
      • Use non-standard (home-grown) algorithms
    • Choose the wrong algorithm
      • Use hash function for encryption
      • Use encryption algorithm for hashing
    • Inappropriate use of an algorithm
      • Use insecure encryption modes (DES EBC)
      • Initial vector is not random
    • Implementation errors
      • Use non-standard cryptographic implementations/libraries
  • Key Management Problems
    • Weak keys
      • Too short or not random enough
      • Use human chosen passwords as cryptographic keys
    • Key disclosure
      • Keys not encrypted during storage or transmission
      • Keys not cleaned appropriately after use
      • Keys Hard-coded in the code or stored in configuration files
    • Key updates
      • Allow keys aging
  • Random Number Generator (RNG) Problems
    • Poor random number generators (c: rand(), Java: java.util.Random())
    • Forget to seed the random number generator
    • Use the same seed for the random number generator every time
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.