1. Home
  2. CWE Database
  3. CWE-322
Base · Medium

CWE-322: Key Exchange without Entity Authentication

The product performs a key exchange with an actor without verifying the identity of that actor.

CWE-322 · Base Level ·2 Mitigations

Description

The product performs a key exchange with an actor without verifying the identity of that actor.

Performing a key exchange will preserve the integrity of the information sent between two entities, but this will not guarantee that the entities are who they claim they are. This may enable an attacker to impersonate an actor by modifying traffic between the two entities. Typically, this involves a victim client that contacts a malicious server that is impersonating a trusted server. If the client skips authentication or ignores an authentication failure, the malicious server may request authentication information from the user. The malicious server can then use this authentication information to log in to the trusted server using the victim's credentials, sniff traffic between the victim and trusted server, etc.

Potential Impact

Access Control

Bypass Protection Mechanism

Confidentiality

Read Application Data

Mitigations & Prevention

Architecture and Design

Ensure that proper authentication is included in the system design.

Implementation

Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications.

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-306: Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a s...

CWE-923: Improper Restriction of Communication Channel to Intended Endpoints

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it ...

CWE-295: Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

Taxonomy Mappings

  • CLASP: — Key exchange without entity authentication

Frequently Asked Questions

What is CWE-322?

CWE-322 (Key Exchange without Entity Authentication) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product performs a key exchange with an actor without verifying the identity of that actor.

How can CWE-322 be exploited?

Attackers can exploit CWE-322 (Key Exchange without Entity Authentication) to bypass protection mechanism. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-322?

Key mitigations include: Ensure that proper authentication is included in the system design.

What is the severity of CWE-322?

CWE-322 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.