CWE-326 不充分的加密强度

Inadequate Encryption Strength

结构: Simple

Abstraction: Class

状态: Draft

被利用可能性: unkown


The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.


A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.


  • cwe_Nature: ChildOf cwe_CWE_ID: 693 cwe_View_ID: 1000 cwe_Ordinal: Primary


Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}


范围 影响 注释
['Access Control', 'Confidentiality'] ['Bypass Protection Mechanism', 'Read Application Data'] An attacker may be able to decrypt the data using brute force attacks.


Architecture and Design


Use a cryptographic algorithm that is currently considered to be strong by experts in the field.


标识 说明 链接
CVE-2001-1546 Weak encryption
CVE-2004-2172 Weak encryption (chosen plaintext attack)
CVE-2002-1682 Weak encryption
CVE-2002-1697 Weak encryption produces same ciphertext from the same plaintext blocks.
CVE-2002-1739 Weak encryption
CVE-2005-2281 Weak encryption scheme
CVE-2002-1872 Weak encryption (XOR)
CVE-2002-1910 Weak encryption (reversible algorithm).
CVE-2002-1946 Weak encryption (one-to-one mapping).
CVE-2002-1975 Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).


Maintenance A variety of encryption algorithms exist, with various weaknesses. This category could probably be split into smaller sub-categories. Maintenance Relationships between CWE-310, CWE-326, and CWE-327 and all their children need to be reviewed and reorganized.


映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Weak Encryption
OWASP Top Ten 2007 A8 CWE More Specific Insecure Cryptographic Storage
OWASP Top Ten 2007 A9 CWE More Specific Insecure Communications
OWASP Top Ten 2004 A8 CWE More Specific Insecure Storage


  • CAPEC-112
  • CAPEC-192
  • CAPEC-20