Difference between revisions of "Failure to encrypt data"

Jump to: navigation, search
m (Added cross references for related attacks and risks)
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
[[ASDR Table of Contents]]
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
Line 47: Line 46:
==Risk Factors==
==Risk Factors==
* [[Man-in-the-middle_attack|Man in the middle attack]]
Line 85: Line 84:
==Related [[Attacks]]==
==Related [[Attacks]]==
* [[Attack 1]]
* [[Argument_Injection_or_Modification|Argument Injection or Modification]]
* [[Attack 2]]
* [[Network_Eavesdropping|Network Eavesdropping]]
* [[Repudiation_Attack|Repudiation Attack]]
Line 110: Line 110:
[[Category:FIXME|add links
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
Availability Vulnerability
Authorization Vulnerability
Authentication Vulnerability
Concurrency Vulnerability
Configuration Vulnerability
Cryptographic Vulnerability
Encoding Vulnerability
Error Handling Vulnerability
Input Validation Vulnerability
Logging and Auditing Vulnerability
Session Management Vulnerability]]
Line 143: Line 118:
[[Category:Protocol Errors]]
[[Category:Protocol Errors]]
[[Category: Cryptographic  Vulnerability]]

Latest revision as of 06:40, 10 August 2012

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 08/10/2012

Vulnerabilities Table of Contents


The failure to encrypt data passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys.


  • Confidentiality: Properly encrypted data channels ensure data confidentiality.
  • Integrity: Properly encrypted data channels ensure data integrity.
  • Accountability: Properly encrypted data channels ensure accountability.

Exposure period

  • Requirements specification: Encryption should be a requirement of systems that transmit data.
  • Design: Encryption should be designed into the system at the architectural and design phases


  • Languages: Any
  • Operating platform: Any

Required resources




Likelihood of exploit

Very High

Omitting the use of encryption in any program which transfers data over a network of any kind should be considered on par with delivering the data sent to each user on the local networks of both the sender and receiver.

Worse, this omission allows for the injection of data into a stream of communication between two parties - with no means for the victims to separate valid data from invalid.

In this day of widespread network attacks and password collection sniffers, it is an unnecessary risk to omit encryption from the design of any system which might benefit from it.

Risk Factors


In C:

server.sin_family = AF_INET;
hp = gethostbyname(argv[1]);
if (hp==NULL) error("Unknown host");
memcpy( (char *)&server.sin_addr,(char *)hp->h_addr,hp->h_length);
if (argc < 3) port = 80;
else port = (unsigned short)atoi(argv[3]);
server.sin_port = htons(port); 
	if (connect(sock, (struct sockaddr *)&server, sizeof server) < 0)

  while ((n=read(sock,buffer,BUFSIZE-1))!=-1){

In Java:

try {
  URL u = new URL("http://www.importantsecretsite.org/");
  HttpURLConnection hu = (HttpURLConnection) u.openConnection();
  OutputStream os = hu.getOutputStream();
catch (IOException e) { //...

Related Attacks

Related Vulnerabilities

Related Controls

  • Requirements specification: require that encryption be integrated into the system.
  • Design: Ensure that encryption is properly integrated into the system design, not simply as a drop-in replacement for sockets.

Related Technical Impacts