A04:2025 Cryptographic Failures

Background.

Moving down two positions to #4, this weakness focuses on failures related to the lack of cryptography, insufficiently strong cryptography, leaking of cryptographic keys, and related errors. Three of the most common Common Weakness Enumerations (CWEs) in this risk involved the use of a weak pseudo-random number generator: CWE-327 Use of a Broken or Risky Cryptographic Algorithm, CWE-331: Insufficient Entropy, CWE-1241: Use of Predictable Algorithm in Random Number Generator, and CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG).

Score table.

CWEs Mapped	Max Incidence Rate	Avg Incidence Rate	Max Coverage	Avg Coverage	Avg Weighted Exploit	Avg Weighted Impact	Total Occurrences	Total CVEs
32	13.77%	3.80%	100.00%	47.74%	7.23	3.90	1,665,348	2,185

Description.

Generally speaking, all data in transit should be encrypted at the transport layer (OSI layer 4). Previous hurdles such as CPU performance and private key/certificate management are now handled by CPUs having instructions designed to accelerate encryption (eg: AES support) and private key and certificate management being simplified by services like LetsEncrypt.org with major cloud vendors providing even more tightly integrated certificate management services for their specific platforms.

Beyond securing the transport layer, it is important to determine what data needs encryption at rest as well as what data needs extra encryption in transit (at the application layer, OSI layer 7). For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, especially if that data falls under privacy laws, e.g., EU's General Data Protection Regulation (GDPR), or regulations such as PCI Data Security Standard (PCI DSS). For all such data:

• Are any old or weak cryptographic algorithms or protocols used either by default or in older code?
• Are default crypto keys in use, are weak crypto keys generated, are keys re-used, or is proper key management and rotation missing?
• Are crypto keys checked into source code repositories?
• Is encryption not enforced, e.g., are any HTTP headers (browser) security directives or headers missing?
• Is the received server certificate and the trust chain properly validated?
• Are initialization vectors ignored, reused, or not generated sufficiently secure for the cryptographic mode of operation? Is an insecure mode of operation such as ECB in use? Is encryption used when authenticated encryption is more appropriate?
• Are passwords being used as cryptographic keys in the absence of a password based key derivation function?
• Is randomness used for cryptographic purposes that was not designed to meet cryptographic requirements? Even if the correct function is chosen, does it need to be seeded by the developer, and if not, has the developer over-written the strong seeding functionality built into it with a seed that lacks sufficient entropy/unpredictability?
• Are deprecated hash functions such as MD5 or SHA1 in use, or are non-cryptographic hash functions used when cryptographic hash functions are needed?
• Are deprecated cryptographic padding methods such as PKCS number 1 v1.5 in use?
• Are cryptographic error messages or side channel information exploitable, for example in the form of padding oracle attacks?
• Can the cryptographic algorithm be downgraded or bypassed?

See references ASVS: Cryptography (V11), Secure Communication (V12) and Data Protection (V14).

How to prevent.

Do the following, at a minimum, and consult the references:

• Classify and label data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.
• Store your most sensitive keys in a hardware or cloud-based HSM.
• Use well-trusted implementations of cryptographic algorithms whenever possible.
• Don't store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen.
• Make sure to encrypt all sensitive data at rest.
• Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
• Encrypt all data in transit with secure protocols such as TLS with forward secrecy (FS) ciphers, cipher prioritization by the server, and secure parameters. Enforce encryption using directives like HTTP Strict Transport Security (HSTS).
• Disable caching for responses that contain sensitive data. This includes caching in your CDN, web server, and any application caching (eg: Redis).
• Apply required security controls as per the data classification.
• Do not use unencrypted protocols such as FTP and SMTP.
• Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt (legacy systems) or PBKDF2-HMAC-SHA-256. For legacy systems using bcrypt, get more advice at OWASP Cheat Sheet: Password Storage
• Initialization vectors must be chosen appropriate for the mode of operation. This could mean using a CSPRNG (cryptographically secure pseudo random number generator). For modes that require a nonce, the initialization vector (IV) does not need a CSPRNG. In all cases, the IV should never be used twice for a fixed key.
• Always use authenticated encryption instead of just encryption.
• Keys should be generated cryptographically randomly and stored in memory as byte arrays. If a password is used, then it must be converted to a key via an appropriate password base key derivation function.
• Ensure that cryptographic randomness is used where appropriate and that it has not been seeded in a predictable way or with low entropy. Most modern APIs do not require the developer to seed the CSPRNG to be secure.
• Avoid deprecated cryptographic functions, block building methods and padding schemes, such as MD5, SHA1, Cipher Block Chaining Mode (CBC), PKCS number 1 v1.5.
• Ensure settings and configurations meet security requirements by having them reviewed by security specialists, tools designed for this purpose, or both.
• Consider to prepare for post quantum cryptography (PQC), see references (ENISA, NIST)

Example attack scenarios.

Scenario #1: A site doesn't use or enforce TLS for all pages or supports weak encryption. An attacker monitors network traffic (e.g., at an insecure wireless network), downgrades connections from HTTPS to HTTP, intercepts requests, and steals the user's session cookie. The attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or modifying the user's private data. Instead of the above they could alter all transported data, e.g., the recipient of a money transfer.

Scenario #2: The password database uses unsalted or simple hashes to store everyone's passwords. A file upload flaw allows an attacker to retrieve the password database. All the unsalted hashes can be exposed with a rainbow table of pre-calculated hashes. Hashes generated by simple or fast hash functions may be cracked by GPUs, even if they were salted.

References.

• OWASP Proactive Controls: C2: Use Cryptography to Protect Data
• OWASP Application Security Verification Standard (ASVS): V11, 12, 14
• OWASP Cheat Sheet: Transport Layer Protection
• OWASP Cheat Sheet: User Privacy Protection
• OWASP Cheat Sheet: Password Storage
• OWASP Cheat Sheet: Cryptographic Storage
• OWASP Cheat Sheet: HSTS
• OWASP Testing Guide: Testing for weak cryptography
• ENISA: A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography
• NIST Releases First 3 Finalized Post-Quantum Encryption Standards

List of Mapped CWEs

• CWE-261 Weak Encoding for Password

• CWE-296 Improper Following of a Certificate's Chain of Trust

• CWE-319 Cleartext Transmission of Sensitive Information

• CWE-320 Key Management Errors (Prohibited)

• CWE-321 Use of Hard-coded Cryptographic Key

• CWE-322 Key Exchange without Entity Authentication

• CWE-323 Reusing a Nonce, Key Pair in Encryption

• CWE-324 Use of a Key Past its Expiration Date

• CWE-325 Missing Required Cryptographic Step

• CWE-326 Inadequate Encryption Strength

• CWE-327 Use of a Broken or Risky Cryptographic Algorithm

• CWE-328 Reversible One-Way Hash

• CWE-329 Not Using a Random IV with CBC Mode

• CWE-330 Use of Insufficiently Random Values

• CWE-331 Insufficient Entropy

• CWE-332 Insufficient Entropy in PRNG

• CWE-334 Small Space of Random Values

• CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator(PRNG)

• CWE-336 Same Seed in Pseudo-Random Number Generator (PRNG)

• CWE-337 Predictable Seed in Pseudo-Random Number Generator (PRNG)

• CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator(PRNG)

• CWE-340 Generation of Predictable Numbers or Identifiers

• CWE-342 Predictable Exact Value from Previous Values

• CWE-347 Improper Verification of Cryptographic Signature

• CWE-523 Unprotected Transport of Credentials

• CWE-757 Selection of Less-Secure Algorithm During Negotiation('Algorithm Downgrade')

• CWE-759 Use of a One-Way Hash without a Salt

• CWE-760 Use of a One-Way Hash with a Predictable Salt

• CWE-780 Use of RSA Algorithm without OAEP

• CWE-916 Use of Password Hash With Insufficient Computational Effort

• CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation

• CWE-1241 Use of Predictable Algorithm in Random Number Generator