CWE-325: Missing Cryptographic Step

Description

The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

Potential Impact

Access Control

Bypass Protection Mechanism

Confidentiality, Integrity

Read Application Data, Modify Application Data

Accountability, Non-Repudiation

Hide Activities

Demonstrative Examples

The example code is taken from the HMAC engine inside the buggy OpenPiton SoC of HACK@DAC'21 [REF-1358]. HAMC is a message authentication code (MAC) that uses both a hash and a secret crypto key. The HMAC engine in HACK@DAC SoC uses the SHA-256 module for the calculation of the HMAC for 512 bits messages.

Bad

logic [511:0] bigData;
               ...
               
               hmac hmac(
                  
                  .clk_i(clk_i),
                  .rst_ni(rst_ni && ~rst_4),
                  .init_i(startHash && ~startHash_r),
                  .key_i(key),
                  .ikey_hash_i(ikey_hash), 
                  .okey_hash_i(okey_hash), 
                  .key_hash_bypass_i(key_hash_bypass),
                  .message_i(bigData),
                  .hash_o(hash),
                  .ready_o(ready),
                  .hash_valid_o(hashValid)

However, this HMAC engine cannot handle messages that are longer than 512 bits. Moreover, a complete HMAC will contain an iterate hash function that breaks up a message into blocks of a fixed size and iterates over them with a compression function (e.g., SHA-256). Therefore, the implementation of the HMAC in OpenPiton SoC is incomplete. Such HMAC engines will not be used in real-world applications as the messages will usually be longer than 512 bits. For instance, OpenTitan offers a comprehensive HMAC implementation that utilizes a FIFO for temporarily storing the truncated message, as detailed in [REF-1359].

To mitigate this, implement the iterative function to break up a message into blocks of a fixed size.

Detection Methods

Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE ID	Description
CVE-2001-1585	Missing challenge-response step allows authentication bypass using public key.

Taxonomy Mappings

PLOVER: — Missing Required Cryptographic Step
OWASP Top Ten 2007: A8 — Insecure Cryptographic Storage
OWASP Top Ten 2007: A9 — Insecure Communications

Frequently Asked Questions

What is CWE-325?

CWE-325 (Missing Cryptographic Step) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

How can CWE-325 be exploited?

Attackers can exploit CWE-325 (Missing Cryptographic Step) to bypass protection mechanism. This weakness is typically introduced during the Implementation, Requirements phase of software development.

How do I prevent CWE-325?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-325?

CWE-325 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.