Difference between revisions of "Using a broken or risky cryptographic algorithm"

From OWASP
Jump to: navigation, search
 
Line 1: Line 1:
 
  
 
{{Template:SecureSoftware}}
 
{{Template:SecureSoftware}}
Line 49: Line 48:
 
In C/C++:
 
In C/C++:
  
 +
<pre>
 
EVP_des_ecb();
 
EVP_des_ecb();
 +
</pre>
 +
 
In Java:
 
In Java:
  
 +
<pre>
 
Cipher des=Cipher.getInstance("DES...);
 
Cipher des=Cipher.getInstance("DES...);
des.initEncrypt(key2);  
+
des.initEncrypt(key2);
 +
<pre>
 +
 
 
==Related problems ==
 
==Related problems ==
  
* Failure to encrypt data  
+
* [[Failure to encrypt data]]
  
 
==Categories ==
 
==Categories ==
Line 62: Line 67:
 
[[Category:Vulnerability]]
 
[[Category:Vulnerability]]
  
[[Category:Protocol Errors]]
+
[[Category:Protocol Errors]]</pre>

Revision as of 11:44, 16 April 2006


Overview

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the disclosure of sensitive information.

Consequences

  • Confidentiality: The confidentiality of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
  • Integrity: The integrity of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
  • Accountability: Any accountability to message content preserved by cryptography may be subject to attack.

Exposure period

  • Design: The decision as to what cryptographic algorithm to utilize is generally made at design time.

Platform

  • Languages: All
  • Operating platforms: All

Required resources

Any

Severity

High

Likelihood of exploit

Medium to High

Avoidance and mitigation

  • Design: Use a cryptographic algorithm that is currently considered to be strong by experts in the field.

Discussion

Since the state of cryptography advances so rapidly, it is common to find algorithms, which previously were considered to be safe, currently considered unsafe. In some cases, things are discovered, or processing speed increases to the degree that the cryptographic algorithm provides little more benefit than the use of no cryptography at all.

Examples

In C/C++:

EVP_des_ecb();

In Java:

Cipher des=Cipher.getInstance("DES...);
des.initEncrypt(key2);
<pre>

==Related problems ==

*	[[Failure to encrypt data]]

==Categories ==

[[Category:Vulnerability]]

[[Category:Protocol Errors]]