CWE-326: Inadequate Encryption Strength
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
扩展描述
A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.
常见后果
影响范围: Access Control Confidentiality
技术影响: Bypass Protection Mechanism Read Application Data
说明: An attacker may be able to decrypt the data using brute force attacks.
潜在缓解措施
阶段: Architecture and Design
描述: Use an encryption scheme that is currently considered to be strong by experts in the field.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2001-1546
Weak encryption
参考: CVE-2004-2172
Weak encryption (chosen plaintext attack)
参考: CVE-2002-1682
Weak encryption
参考: CVE-2002-1697
Weak encryption produces same ciphertext from the same plaintext blocks.
参考: CVE-2002-1739
Weak encryption
参考: CVE-2005-2281
Weak encryption scheme
参考: CVE-2002-1872
Weak encryption (XOR)
参考: CVE-2002-1910
Weak encryption (reversible algorithm).
参考: CVE-2002-1946
Weak encryption (one-to-one mapping).
参考: CVE-2002-1975
Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness).
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Weak Encryption | - |
| OWASP Top Ten 2007 | A8 | Insecure Cryptographic Storage | CWE More Specific |
| OWASP Top Ten 2007 | A9 | Insecure Communications | CWE More Specific |
| OWASP Top Ten 2004 | A8 | Insecure Storage | CWE More Specific |