1. Home
  2. CWE Database
  3. CWE-323
Base · Medium

CWE-323: Reusing a Nonce, Key Pair in Encryption

Nonces should be used for the present occasion and only once.

CWE-323 · Base Level ·2 CVEs ·2 Mitigations

Description

Nonces should be used for the present occasion and only once.

Potential Impact

Access Control

Bypass Protection Mechanism, Gain Privileges or Assume Identity

Demonstrative Examples

This code takes a password, concatenates it with a nonce, then encrypts it before sending over a network:
Bad
void encryptAndSendPassword(char *password){char *nonce = "bad";...char *data = (unsigned char*)malloc(20);int para_size = strlen(nonce) + strlen(password);char *paragraph = (char*)malloc(para_size);SHA1((const unsigned char*)paragraph,parsize,(unsigned char*)data);sendEncryptedData(data)}
Because the nonce used is always the same, an attacker can impersonate a trusted party by intercepting and resending the encrypted password. This attack avoids the need to learn the unencrypted password.
This code sends a command to a remote server, using an encrypted password and nonce to prove the command is from a trusted party:
Bad
String command = new String("some command to execute");MessageDigest nonce = MessageDigest.getInstance("SHA");nonce.update(String.valueOf("bad nonce"));byte[] nonce = nonce.digest();MessageDigest password = MessageDigest.getInstance("SHA");password.update(nonce + "secretPassword");byte[] digest = password.digest();sendCommand(digest, command)
Once again the nonce used is always the same. An attacker may be able to replay previous legitimate commands or execute new arbitrary commands.

Mitigations & Prevention

Implementation

Refuse to reuse nonce values.

Implementation

Use techniques such as requiring incrementing, time based and/or challenge response to assure uniqueness of nonces.

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2024-36289social networking app reuses a nonce/key pair, allowing MITM attackers to manipulate direct messages
CVE-2024-21530Rust package reuses a nonce/key pair when an object is cloned, which resets the random number generation

CWE-344: Use of Invariant Value in Dynamically Changing Context

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments...

Taxonomy Mappings

  • CLASP: — Reusing a nonce, key pair in encryption

Frequently Asked Questions

What is CWE-323?

CWE-323 (Reusing a Nonce, Key Pair in Encryption) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. Nonces should be used for the present occasion and only once.

How can CWE-323 be exploited?

Attackers can exploit CWE-323 (Reusing a Nonce, Key Pair in Encryption) to bypass protection mechanism, gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-323?

Key mitigations include: Refuse to reuse nonce values.

What is the severity of CWE-323?

CWE-323 is classified as a Base-level weakness (Medium abstraction). It has been observed in 2 real-world CVEs.