>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

A04Cryptographic Failures

>Control Description

Moving down two positions to #4, this weakness focuses on failures related to the lack of cryptography, insufficiently strong cryptography, leaking of cryptographic keys, and related errors. Three of the most common Common Weakness Enumerations (CWEs) in this risk involved the use of a weak pseudo-random number generator: *CWE-327 Use of a Broken or Risky Cryptographic Algorithm, CWE-331: Insufficient Entropy*, *CWE-1241: Use of Predictable Algorithm in Random Number Generator*, and *CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)*. Generally speaking, all data in transit should be encrypted at the [transport layer](https://en.wikipedia.org/wiki/Transport_layer) ([OSI layer](https://en.wikipedia.org/wiki/OSI_model) 4). Previous hurdles such as CPU performance and private key/certificate management are now handled by CPUs having instructions designed to accelerate encryption (eg: [AES support](https://en.wikipedia.org/wiki/AES_instruction_set)) and private key and certificate management being simplified by services like [LetsEncrypt.org](https://LetsEncrypt.org) with major cloud vendors providing even more tightly integrated certificate management services for their specific platforms. Beyond securing the transport layer, it is important to determine what data needs encryption at rest as well as what data needs extra encryption in transit (at the [application layer](https://en.wikipedia.org/wiki/Application_layer), OSI layer 7). For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, especially if that data falls under privacy laws, e.g., EU's General Data Protection Regulation (GDPR), or regulations such as PCI Data Security Standard (PCI DSS). For all such data: * Are any old or weak cryptographic algorithms or protocols used either by default or in older code? * Are default crypto keys in use, are weak crypto keys generated, are keys re-used, or is proper key management and rotation missing? * Are crypto keys checked into source code repositories? * Is encryption not enforced, e.g., are any HTTP headers (browser) security directives or headers missing? * Is the received server certificate and the trust chain properly validated? * Are initialization vectors ignored, reused, or not generated sufficiently secure for the cryptographic mode of operation? Is an insecure mode of operation such as ECB in use? Is encryption used when authenticated encryption is more appropriate? * Are passwords being used as cryptographic keys in the absence of a password based key derivation function? * Is randomness used that was not designed to meet cryptographic requirements? Even if the correct function is chosen, does it need to be seeded by the developer, and if not, has the developer over-written the strong seeding functionality built into it with a seed that lacks sufficient entropy/unpredictability? * Are deprecated hash functions such as MD5 or SHA1 in use, or are non-cryptographic hash functions used when cryptographic hash functions are needed? * Are cryptographic error messages or side channel information exploitable, for example in the form of padding oracle attacks? * Can the cryptographic algorithm be downgraded or bypassed? See references ASVS: Cryptography (V11), Secure Communication (V12) and Data Protection (V14).

>Prevention & Mitigation Strategies

  1. 1.Classify and label data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.
  2. 2.Store your most sensitive keys in a hardware or cloud-based HSM.
  3. 3.Use well-trusted implementations of cryptographic algorithms whenever possible.
  4. 4.Don't store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen.
  5. 5.Make sure to encrypt all sensitive data at rest.
  6. 6.Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
  7. 7.Encrypt all data in transit with protocols >= TLS 1.2 only, with forward secrecy (FS) ciphers, drop support for cipher block chaining (CBC) ciphers, support quantum key change algorithms. For HTTPS enforce encryption using HTTP Strict Transport Security (HSTS). Check everything with a tool.
  8. 8.Disable caching for responses that contain sensitive data. This includes caching in your CDN, web server, and any application caching (eg: Redis).
  9. 9.Apply required security controls as per the data classification.
  10. 10.Do not use unencrypted protocols such as FTP, and STARTTLS. Avoid using SMTP for transmitting confidential data.
  11. 11.Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, yescrypt, scrypt or PBKDF2-HMAC-SHA-512. For legacy systems using bcrypt, get more advice at [OWASP Cheat Sheet: Password Storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)
  12. 12.Initialization vectors must be chosen appropriate for the mode of operation. This could mean using a CSPRNG (cryptographically secure pseudo random number generator). For modes that require a nonce, the initialization vector (IV) does not need a CSPRNG. In all cases, the IV should never be used twice for a fixed key.
  13. 13.Always use authenticated encryption instead of just encryption.
  14. 14.Keys should be generated cryptographically randomly and stored in memory as byte arrays. If a password is used, then it must be converted to a key via an appropriate password base key derivation function.
  15. 15.Ensure that cryptographic randomness is used where appropriate and that it has not been seeded in a predictable way or with low entropy. Most modern APIs do not require the developer to seed the CSPRNG to be secure.
  16. 16.Avoid deprecated cryptographic functions, block building methods and padding schemes, such as MD5, SHA1, Cipher Block Chaining Mode (CBC), PKCS number 1 v1.5.
  17. 17.Ensure settings and configurations meet security requirements by having them reviewed by security specialists, tools designed for this purpose, or both.
  18. 18.You need to prepare now for post quantum cryptography (PQC), see reference (ENISA) so that high risk systems are safe no later than the end of 2030.

>Attack Scenarios

#1TLS downgrade and session hijacking

A site doesn't use or enforce TLS for all pages or supports weak encryption. An attacker monitors network traffic (e.g., at an insecure wireless network), downgrades connections from HTTPS to HTTP, intercepts requests, and steals the user's session cookie. The attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or modifying the user's private data. Instead of the above they could alter all transported data, e.g., the recipient of a money transfer.

#2Unsalted password hash exposure

The password database uses unsalted or simple hashes to store everyone's passwords. A file upload flaw allows an attacker to retrieve the password database. All the unsalted hashes can be exposed with a rainbow table of pre-calculated hashes. Hashes generated by simple or fast hash functions may be cracked by GPUs, even if they were salted.

>Related CWEs

CWE-327
CWE-325
CWE-916
CWE-347
CWE-324
CWE-321
CWE-332
CWE-336
CWE-323
CWE-760
CWE-342
CWE-523
CWE-322
CWE-261
CWE-329
CWE-757
CWE-326
CWE-296
CWE-320
CWE-340
CWE-331
CWE-1240
CWE-328
CWE-335
CWE-337
CWE-330
CWE-338
CWE-319
CWE-759
CWE-334
CWE-1241
CWE-780

>References

Ask AI

Configure your API key to use AI features.