{"@ID": "1279", "@Name": "Cryptographic Operations are run Before Supporting Units are Ready", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result.", "Extended_Description": "Many cryptographic hardware units depend upon other hardware units to supply information to them to produce a securely encrypted result. For example, a cryptographic unit that depends on an external random-number-generator (RNG) unit for entropy must wait until the RNG unit is producing random numbers. If a cryptographic unit retrieves a private encryption key from a fuse unit, the fuse unit must be up and running before a key may be supplied.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "696", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "665", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": [{"@Name": "Verilog", "@Prevalence": "Undetermined"}, {"@Name": "VHDL", "@Prevalence": "Undetermined"}, {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}], "Operating_System": {"@Class": "Not OS-Specific", "@Prevalence": "Undetermined"}, "Architecture": {"@Class": "Not Architecture-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Name": "Processor Hardware", "@Prevalence": "Undetermined"}, {"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation", "Note": "The decision to continue using a cryptographic unit even though the input units to it are not producing valid data will compromise the encrypted result."}]}, "Common_Consequences": {"Consequence": {"Scope": ["Access Control", "Confidentiality", "Integrity", "Availability", "Accountability", "Authentication", "Authorization", "Non-Repudiation"], "Impact": "Varies by Context"}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": "Best practices should be used to design cryptographic systems."}, {"Phase": "Implementation", "Description": "Continuously ensuring that cryptographic inputs are supplying valid information is necessary to ensure that the encrypted output is secure."}]}, "Demonstrative_Examples": {"Demonstrative_Example": {"Intro_Text": "The following pseudocode illustrates the weak encryption resulting from the use of a pseudo-random-number generator output.", "Example_Code": [{"@Nature": "Bad", "@Language": "Pseudocode", "xhtml:br": [null, null, null], "#text": "If random_number_generator_self_test_passed() == TRUE\n\t\t\t\t\t  then Seed = get_random_number_from_RNG()\n\t\t\t\t\t  else Seed = hardcoded_number"}, {"@Nature": "Good", "@Language": "Pseudocode", "xhtml:br": [null, null, null], "#text": "If random_number_generator_self_test_passed() == TRUE\n\t\t\t\t\t  then Seed = get_random_number_from_RNG()\n\t\t\t\t\t  else enter_error_state()"}], "Body_Text": "In the example above, first a check of RNG ready is performed. If the check fails, the RNG is ignored and a hard coded value is used instead. The hard coded value severely weakens the encrypted output."}}, "Related_Attack_Patterns": {"Related_Attack_Pattern": {"@CAPEC_ID": "97"}}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "Arun Kanuparthi, Hareesh Khattri, Parbati Kumar Manna, Narasimha Kumar V Mangipudi", "Submission_Organization": "Intel Corporation", "Submission_Date": "2020-02-12", "Submission_Version": "4.1", "Submission_ReleaseDate": "2020-02-24"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-03-15", "Modification_Version": "4.4", "Modification_ReleaseDate": "2021-03-15", "Modification_Comment": "updated Maintenance_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-04-28", "Modification_Version": "4.7", "Modification_ReleaseDate": "2022-04-28", "Modification_Comment": "updated Applicable_Platforms"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-06-28", "Modification_Version": "4.8", "Modification_ReleaseDate": "2022-06-28", "Modification_Comment": "updated Applicable_Platforms"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-04-03", "Modification_Version": "4.17", "Modification_ReleaseDate": "2025-04-03", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Weakness_Ordinalities"}], "Previous_Entry_Name": {"@Date": "2020-08-20", "#text": "Cryptographic Primitives used without Successful Self-Test"}}}
