Description
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.
Potential Impact
Access Control, Confidentiality
Bypass Protection Mechanism, Read Application Data
Mitigations & Prevention
Use an encryption scheme that is currently considered to be strong by experts in the field.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2001-1546 | Weak encryption |
| CVE-2004-2172 | Weak encryption (chosen plaintext attack) |
| CVE-2002-1682 | Weak encryption |
| CVE-2002-1697 | Weak encryption produces same ciphertext from the same plaintext blocks. |
| CVE-2002-1739 | Weak encryption |
| CVE-2005-2281 | Weak encryption scheme |
| CVE-2002-1872 | Weak encryption (XOR) |
| CVE-2002-1910 | Weak encryption (reversible algorithm). |
| CVE-2002-1946 | Weak encryption (one-to-one mapping). |
| CVE-2002-1975 | Encryption error uses fixed salt, simplifying brute force / dictionary attacks (overlaps randomness). |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Weak Encryption
- OWASP Top Ten 2007: A8 — Insecure Cryptographic Storage
- OWASP Top Ten 2007: A9 — Insecure Communications
- OWASP Top Ten 2004: A8 — Insecure Storage
Frequently Asked Questions
What is CWE-326?
CWE-326 (Inadequate Encryption Strength) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
How can CWE-326 be exploited?
Attackers can exploit CWE-326 (Inadequate Encryption Strength) to bypass protection mechanism, read application data. This weakness is typically introduced during the Architecture and Design phase of software development.
How do I prevent CWE-326?
Key mitigations include: Use an encryption scheme that is currently considered to be strong by experts in the field.
What is the severity of CWE-326?
CWE-326 is classified as a Class-level weakness (High abstraction). It has been observed in 10 real-world CVEs.