Difference between revisions of "Using a broken or risky cryptographic algorithm"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
{{Template:SecureSoftware}}
 
{{Template:SecureSoftware}}
 +
{{Template:Vulnerability}}
  
==Overview==
+
[[Category:FIXME|This is the text from the old template. This needs to be rewritten using the new template.]]
  
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the disclosure of sensitive information.
 
  
==Consequences ==
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
* Confidentiality: The confidentiality of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
+
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
  
* Integrity: The integrity of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
+
[[ASDR Table of Contents]]
 +
__TOC__
  
* Accountability: Any accountability to message content preserved by cryptography may be subject to attack.
 
  
==Exposure period ==
+
==Description==
  
* Design: The decision as to what cryptographic algorithm to utilize is generally made at design time.
 
  
==Platform ==
+
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the disclosure of sensitive information.
  
* Languages: All
+
'''Consequences'''
  
* Operating platforms: All
+
* Confidentiality: The confidentiality of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
 +
* Integrity: The integrity of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
 +
* Accountability: Any accountability to message content preserved by cryptography may be subject to attack.
  
==Required resources ==
+
'''Exposure period'''
 +
 
 +
* Design: The decision as to what cryptographic algorithm to utilize is generally made at design time.
 +
 
 +
'''Platform'''
 +
 
 +
* Languages: All
 +
* Operating platforms: All
 +
 
 +
'''Required resources'''
  
 
Any
 
Any
  
==Severity ==
+
'''Severity'''
  
 
High
 
High
  
==Likelihood   of exploit ==
+
'''Likelihood of exploit'''
  
 
Medium to High
 
Medium to High
  
==Avoidance and mitigation ==
+
Since the state of cryptography advances so rapidly, it is common to find algorithms, which previously were considered to be safe, currently considered unsafe. In some cases, things are discovered, or processing speed increases to the degree that the cryptographic algorithm provides little more benefit than the use of no cryptography at all.
  
* Design: Use a cryptographic algorithm that is currently considered to be strong by experts in the field.
 
  
==Discussion ==
 
  
Since the state of cryptography advances so rapidly, it is common to find algorithms, which previously were considered to be safe, currently considered unsafe. In some cases, things are discovered, or processing speed increases to the degree that the cryptographic algorithm provides little more benefit than the use of no cryptography at all.
+
==Risk Factors==
 +
 
 +
TBD
 +
 
  
==Examples ==
+
==Examples==
  
 
In C/C++:
 
In C/C++:
Line 56: Line 67:
 
Cipher des=Cipher.getInstance("DES...);
 
Cipher des=Cipher.getInstance("DES...);
 
des.initEncrypt(key2);
 
des.initEncrypt(key2);
<pre>
+
</pre>
  
==Related problems ==
 
  
* [[Failure to encrypt data]]
+
==Related [[Attacks]]==
  
==Categories ==
+
* [[Attack 1]]
 +
* [[Attack 2]]
  
</pre>
 
  
[[Category:Vulnerability]]
+
==Related [[Vulnerabilities]]==
  
 +
* [[Failure to encrypt data]]
 +
 +
 +
 +
==Related [[Controls]]==
 +
 +
* Design: Use a cryptographic algorithm that is currently considered to be strong by experts in the field.
 +
 +
 +
==Related [[Technical Impacts]]==
 +
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 +
 +
==References==
 +
 +
TBD
 +
 +
 +
__NOTOC__
 +
 +
 +
[[Category:OWASP ASDR Project]]
 +
[[Category:Vulnerability]]
 
[[Category:Cryptographic Vulnerability]]
 
[[Category:Cryptographic Vulnerability]]

Revision as of 09:19, 3 October 2008

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Last revision (mm/dd/yy): 10/3/2008

Vulnerabilities Table of Contents

ASDR Table of Contents


Description

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the disclosure of sensitive information.

Consequences

  • Confidentiality: The confidentiality of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
  • Integrity: The integrity of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
  • Accountability: Any accountability to message content preserved by cryptography may be subject to attack.

Exposure period

  • Design: The decision as to what cryptographic algorithm to utilize is generally made at design time.

Platform

  • Languages: All
  • Operating platforms: All

Required resources

Any

Severity

High

Likelihood of exploit

Medium to High

Since the state of cryptography advances so rapidly, it is common to find algorithms, which previously were considered to be safe, currently considered unsafe. In some cases, things are discovered, or processing speed increases to the degree that the cryptographic algorithm provides little more benefit than the use of no cryptography at all.


Risk Factors

TBD


Examples

In C/C++:

EVP_des_ecb();

In Java:

Cipher des=Cipher.getInstance("DES...);
des.initEncrypt(key2);


Related Attacks


Related Vulnerabilities


Related Controls

  • Design: Use a cryptographic algorithm that is currently considered to be strong by experts in the field.


Related Technical Impacts


References

TBD