Using a broken or risky cryptographic algorithm
Thank you for visiting OWASP.org. We have migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.
This is an example of a Project or Chapter Page.
Description
Attempting to create non-standard and non-tested algorithms, using weak algorithms, or applying algorithms incorrectly will pose a high weakness to data that is meant to be secure.
Consequences
- Confidentiality: The confidentiality of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
- Integrity: The integrity of sensitive data may be compromised by the use of a broken or risky cryptographic algorithm.
- Accountability: Any accountability to message content preserved by cryptography may be subject to attack.
Exposure period
- Design: The decision as to what cryptographic algorithm to utilize is generally made at design time.
Platform
- Languages: All
- Operating platforms: All
Required resources
Any
Severity
High
Likelihood of exploit
Medium to High
Since the state of cryptography advances so rapidly, it is common to find algorithms, which previously were considered to be safe, currently considered unsafe. In some cases, things are discovered, or processing speed increases to the degree that the cryptographic algorithm provides little more benefit than the use of no cryptography at all.
Risk Factors
- Use of custom cryptographic algorithms.
- Use of weak and/or untested public algorithms.
Examples
In C/C++:
EVP_des_ecb();
In Java:
Cipher des=Cipher.getInstance("DES...);
des.initEncrypt(key2);
Related Attacks
Related Vulnerabilities
Related Controls
- Design: Use a cryptographic algorithm that is currently considered to be strong by experts in the field.
Related Technical Impacts
References
TBD
NOTOC
Category:OWASP ASDR Project Category:Vulnerability Category:Cryptographic Vulnerability