CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
说明: Incorrect usage of crypto primitives could render the supposedly encrypted data as unencrypted plaintext in the worst case.
潜在缓解措施
阶段: Requirements
描述: Require compliance with the strongest-available recommendations from trusted parties, and require that compliance must be kept up-to-date, since recommendations evolve over time. For example, US government systems require FIPS 140-3 certification, which supersedes FIPS 140-2 [REF-1192] [REF-267].
有效性: High
阶段: Architecture and Design
描述: Ensure that the architecture/design uses the strongest-available primitives and algorithms from trusted parties. For example, US government systems require FIPS 140-3 certification, which supersedes FIPS 140-2 [REF-1192] [REF-267].
有效性: High
阶段: Architecture and Design
描述: Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. As with all cryptographic mechanisms, the source code should be available for analysis. If the algorithm may be compromised when attackers find out how it works, then it is especially weak.
有效性: Discouraged Common Practice
阶段: Architecture and Design
描述: Try not to use cryptographic algorithms in novel ways or with new modes of operation even when you "know" it is secure. For example, using SHA-2 chaining to create a 1-time pad for encryption might sound like a good idea, but one should not do this.
有效性: Discouraged Common Practice
阶段: Architecture and Design
描述: Ensure that the design can replace one cryptographic primitive or algorithm with another in the next generation ("cryptographic agility"). Where possible, use wrappers to make the interfaces uniform. This will make it easier to upgrade to stronger algorithms. This is especially important for hardware, which can be more difficult to upgrade quickly than software; design the hardware at a replaceable block level.
有效性: Defense in Depth
阶段: Architecture and Design
描述: Do not use outdated or non-compliant cryptography algorithms. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong [REF-267].
有效性: Discouraged Common Practice
阶段: Architecture and Design Implementation
描述: Do not use a linear-feedback shift register (LFSR) or other legacy methods as a substitute for an accepted and standard Random Number Generator.
有效性: Discouraged Common Practice
阶段: Architecture and Design Implementation
描述: Do not use a checksum as a substitute for a cryptographically generated hash.
有效性: Discouraged Common Practice
阶段: Architecture and Design
策略: Libraries or Frameworks
描述: Use a vetted cryptographic library or framework. Industry-standard implementations will save development time and are more likely to avoid errors that can occur during implementation of cryptographic algorithms. However, the library/framework could be used incorrectly during implementation.
有效性: High
阶段: Architecture and Design Implementation
描述: When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for the prevention of common attacks.
有效性: Moderate
阶段: Architecture and Design Implementation
描述: Do not store keys in areas accessible to untrusted agents. Carefully manage and protect the cryptographic keys (see CWE-320). If the keys can be guessed or stolen, then the strength of the cryptography algorithm is irrelevant.
有效性: Moderate
检测方法
方法: Architecture or Design Review
Review requirements, documentation, and product design to ensure that primitives are consistent with the strongest-available recommendations from trusted parties. If the product appears to be using custom or proprietary implementations that have not had sufficient public review and approval, then this is a significant concern.
有效性: High
方法: Manual Analysis
Analyze the product to ensure that implementations for each primitive do not contain any known vulnerabilities and are not using any known-weak algorithms, including MD4, MD5, SHA1, DES, etc.
有效性: Moderate
方法: Dynamic Analysis with Manual Results Interpretation
For hardware, during the implementation (pre-Silicon / post-Silicon) phase, dynamic tests should be done to ensure that outputs from cryptographic routines are indeed working properly, such as test vectors provided by NIST [REF-1236].
有效性: Moderate
方法: Dynamic Analysis with Manual Results Interpretation
It needs to be determined if the output of a cryptographic primitive is lacking entropy, which is one clear sign that something went wrong with the crypto implementation. There exist many methods of measuring the entropy of a bytestream, from sophisticated ones (like calculating Shannon's entropy of a sequence of characters) to crude ones (by compressing it and comparing the size of the original bytestream vs. the compressed - a truly random byte stream should not be compressible and hence the uncompressed and compressed bytestreams should be nearly identical in size).
有效性: Moderate
观察示例
参考: CVE-2020-4778
software uses MD5, which is less safe than the default SHA-256 used by related products
参考: CVE-2005-2946
Default configuration of product uses MD5 instead of stronger algorithms that are available, simplifying forgery of certificates.
参考: CVE-2019-3907
identity card uses MD5 hash of a salt and password
参考: CVE-2021-34687
personal key is transmitted over the network using a substitution cipher
参考: CVE-2020-14254
product does not disable TLS-RSA cipher suites, allowing decryption of traffic if TLS 2.0 and secure ciphers are not enabled.
参考: CVE-2019-1543
SSL/TLS library generates 16-byte nonces but reduces them to 12 byte nonces for the ChaCha20-Poly1305 cipher, converting them in a way that violates the cipher's requirements for unique nonces.
参考: CVE-2017-9267
LDAP interface allows use of weak ciphers
参考: CVE-2017-7971
SCADA product allows "use of outdated cipher suites"
参考: CVE-2020-6616
Chip implementing Bluetooth uses a low-entropy PRNG instead of a hardware RNG, allowing spoofing.
参考: CVE-2019-1715
security product has insufficient entropy in the DRBG, allowing collisions and private key discovery
参考: CVE-2014-4192
Dual_EC_DRBG implementation in RSA toolkit does not correctly handle certain byte requests, simplifying plaintext recovery
参考: CVE-2007-6755
Recommendation for Dual_EC_DRBG algorithm contains point Q constants that could simplify decryption
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | This weakness is primarily introduced during the architecture and design phase as risky primitives are included. |
| Implementation | Even in cases where the Architectural phase properly specifies a cryptographically secure design, the design may be changed during implementation due to unforeseen constraints. |