CWE-1240
AllowedUse of a Cryptographic Primitive with a Risky Implementation
Abstraction: Base · Status: Draft
To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.
42 vulnerabilities reference this CWE, most recent first.
GHSA-3HG2-RH4R-8QF6
Vulnerability from github – Published: 2025-12-12 18:30 – Updated: 2025-12-20 02:40When encrypting sensitive data, weak encryption keys that are fixed or directly generated based on user passwords are used. Attackers can obtain these keys through methods such as reverse engineering, code leaks, or password guessing, thereby decrypting stored or transmitted encrypted data, leading to the leakage of sensitive information.
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.streampark:streampark"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53960"
],
"database_specific": {
"cwe_ids": [
"CWE-1240"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-12T20:19:56Z",
"nvd_published_at": "2025-12-12T16:15:44Z",
"severity": "HIGH"
},
"details": "When encrypting sensitive data, weak encryption keys that are fixed or directly generated based on user passwords are used. Attackers can obtain these keys through methods such as reverse engineering, code leaks, or password guessing, thereby decrypting stored or transmitted encrypted data, leading to the leakage of sensitive information.\n\nThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\n\nUsers are recommended to upgrade to version 2.1.7, which fixes the issue.",
"id": "GHSA-3hg2-rh4r-8qf6",
"modified": "2025-12-20T02:40:33Z",
"published": "2025-12-12T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53960"
},
{
"type": "WEB",
"url": "https://github.com/apache/streampark/commit/39034db0c806168afa82e58e4f376e1e3c3b73e4"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/streampark"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/12/04/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache StreamPark: Use the user\u2019s password as the secret key Vulnerability"
}
GHSA-42VR-VVGX-QHGX
Vulnerability from github – Published: 2026-03-25 21:30 – Updated: 2026-03-25 21:30IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information
{
"affected": [],
"aliases": [
"CVE-2025-64647"
],
"database_specific": {
"cwe_ids": [
"CWE-1240"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T21:16:25Z",
"severity": "MODERATE"
},
"details": "IBM Concert 1.0.0 through 2.2.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information",
"id": "GHSA-42vr-vvgx-qhgx",
"modified": "2026-03-25T21:30:36Z",
"published": "2026-03-25T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64647"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7267105"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-434V-X5QV-PMH6
Vulnerability from github – Published: 2026-03-26 17:58 – Updated: 2026-03-26 17:58The libcrux-ed25519 key generation samples Ed25519 secret keys from a provided CSPRNG in a loop for up to 100 attempts until a non-zero key is found. If a non-zero key could not be sampled within 100 attempts the key generation function would silently continue with an all-zero buffer as the secret key.
Impact
This bug only occurs in the event of a catastrophic failure of the CSPRNG, but would allow anyone to forge signatures under the resulting static signing key.
Mitigation
Instead of silently continuing with an all-zero signing key, starting from version 0.0.7 key generation will error in the case of 100 failed attempts at sampling a valid key.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "libcrux-ed25519"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1240",
"CWE-331",
"CWE-392"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T17:58:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The libcrux-ed25519 key generation samples Ed25519 secret keys from a provided CSPRNG in a loop for up to 100 attempts until a non-zero key is found. If a non-zero key could not be sampled within 100 attempts the key generation function would silently continue with an all-zero buffer as the secret key.\n\n## Impact\nThis bug only occurs in the event of a catastrophic failure of the CSPRNG, but would allow anyone to forge signatures under the resulting static signing key.\n\n## Mitigation\nInstead of silently continuing with an all-zero signing key, starting from version `0.0.7` key generation will error in the case of 100 failed attempts at sampling a valid key.",
"id": "GHSA-434v-x5qv-pmh6",
"modified": "2026-03-26T17:58:55Z",
"published": "2026-03-26T17:58:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cryspen/libcrux/pull/1349"
},
{
"type": "PACKAGE",
"url": "https://github.com/cryspen/libcrux"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0075.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "libcrux has All-Zero Key Generation Upon Catastrophic RNG Failure"
}
GHSA-4GJP-9G3V-JFMP
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Use of a cryptographic primitive with a risky implementation in Windows Key Guard allows an authorized attacker to bypass a security feature locally.
{
"affected": [],
"aliases": [
"CVE-2026-50303"
],
"database_specific": {
"cwe_ids": [
"CWE-1240"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T17:16:58Z",
"severity": "MODERATE"
},
"details": "Use of a cryptographic primitive with a risky implementation in Windows Key Guard allows an authorized attacker to bypass a security feature locally.",
"id": "GHSA-4gjp-9g3v-jfmp",
"modified": "2026-07-14T18:32:04Z",
"published": "2026-07-14T18:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50303"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50303"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4V2M-666W-FFM3
Vulnerability from github – Published: 2024-02-05 18:31 – Updated: 2024-09-06 09:32Use of a Broken or Risky Cryptographic Algorithm vulnerability in B&R Industrial Automation Automation Runtime (SDM modules).
The FTP server used on the B&R Automation Runtime supports unsecure encryption mechanisms, such as SSLv3, TLSv1.0 and TLS1.1. An network-based attacker can exploit the flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected product clients.
This issue affects Automation Runtime: from 14.0 before 14.93.
{
"affected": [],
"aliases": [
"CVE-2024-0323"
],
"database_specific": {
"cwe_ids": [
"CWE-1240",
"CWE-327"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-05T16:15:54Z",
"severity": "CRITICAL"
},
"details": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in B\u0026R Industrial Automation Automation Runtime (SDM modules).\n\n\n\nThe FTP server used on the B\u0026R\nAutomation Runtime supports unsecure encryption mechanisms, such as SSLv3,\nTLSv1.0 and TLS1.1. An network-based attacker can exploit the flaws to conduct\nman-in-the-middle attacks or to decrypt communications between the affected product\nclients. \u00a0\n\nThis issue affects Automation Runtime: from 14.0 before 14.93.\n\n",
"id": "GHSA-4v2m-666w-ffm3",
"modified": "2024-09-06T09:32:30Z",
"published": "2024-02-05T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0323"
},
{
"type": "WEB",
"url": "https://www.br-automation.com/fileadmin/SA23P004_FTP_uses_unsecure_encryption_mechanisms-f57c147c.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6HJ5-P79M-6W3V
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30Use of a cryptographic primitive with a risky implementation in Windows Cryptographic Services allows an authorized attacker to disclose information locally.
{
"affected": [],
"aliases": [
"CVE-2025-58720"
],
"database_specific": {
"cwe_ids": [
"CWE-1240"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T17:15:53Z",
"severity": "HIGH"
},
"details": "Use of a cryptographic primitive with a risky implementation in Windows Cryptographic Services allows an authorized attacker to disclose information locally.",
"id": "GHSA-6hj5-p79m-6w3v",
"modified": "2025-10-14T18:30:32Z",
"published": "2025-10-14T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58720"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-58720"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6V62-CVF7-MPV3
Vulnerability from github – Published: 2025-04-08 18:34 – Updated: 2025-04-08 18:34Use of a cryptographic primitive with a risky implementation in Windows Cryptographic Services allows an authorized attacker to disclose information locally.
{
"affected": [],
"aliases": [
"CVE-2025-29808"
],
"database_specific": {
"cwe_ids": [
"CWE-1240"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T18:16:06Z",
"severity": "MODERATE"
},
"details": "Use of a cryptographic primitive with a risky implementation in Windows Cryptographic Services allows an authorized attacker to disclose information locally.",
"id": "GHSA-6v62-cvf7-mpv3",
"modified": "2025-04-08T18:34:57Z",
"published": "2025-04-08T18:34:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29808"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29808"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6WJW-QF87-FV5V
Vulnerability from github – Published: 2024-05-15 22:01 – Updated: 2024-05-15 22:01A potential exploit of the Laravel Encrypter component that may cause the Encrypter to fail on decryption and unexpectedly return false.
To exploit this, the attacker must be able to modify the encrypted payload before it is decrypted. Depending on the code within your application, this could lead to unexpected behavior when combined with weak type comparisons, for example:
<?php
$decyptedValue = decrypt($secret);
if ($decryptedValue == '') {
// Code is run even though decrypted value is false...
}
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "illuminate/encryption"
},
"ranges": [
{
"events": [
{
"introduced": "5.5.0"
},
{
"fixed": "5.5.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "illuminate/encryption"
},
"ranges": [
{
"events": [
{
"introduced": "5.6.0"
},
{
"fixed": "5.6.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1240"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-15T22:01:01Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "A potential exploit of the Laravel Encrypter component that may cause the Encrypter to fail on decryption and unexpectedly return false.\n\nTo exploit this, the attacker must be able to modify the encrypted payload before it is decrypted. Depending on the code within your application, this could lead to unexpected behavior when combined with weak type comparisons, for example:\n\n```php\n\u003c?php\n\n$decyptedValue = decrypt($secret);\n\nif ($decryptedValue == \u0027\u0027) {\n // Code is run even though decrypted value is false...\n}\n```",
"id": "GHSA-6wjw-qf87-fv5v",
"modified": "2024-05-15T22:01:01Z",
"published": "2024-05-15T22:01:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/illuminate/encryption/commit/51667a52bd7d135c6aa40a897656ffe9d3cd072d"
},
{
"type": "WEB",
"url": "https://github.com/illuminate/encryption/commit/c80b1da6a0412bd74bd56dc80f6126f561631b05"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/encryption/2018-03-30-1.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/illuminate/encryption"
},
{
"type": "WEB",
"url": "https://medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Laravel Encrypter Failure to decryption vulnerability"
}
GHSA-753P-WRJ5-G8FJ
Vulnerability from github – Published: 2024-12-11 21:47 – Updated: 2024-12-11 21:48Impact
A correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext.
No concrete attack exploiting the error has been identified at this point. However, the error involves mishandling of the secret key, and in principle this presents a security vulnerability.
Patches
PQClean does not have a release process, as it is a collection of implementations. If you obtained a HQC implementation from PQClean, please update to a version that includes the fixes proposed in https://github.com/PQClean/PQClean/pull/578.
Please also refer to our security policy.
Workarounds
Manually patching is always possible
Further details
In the 2023/04/30 version of the HQC specification and reference implementation, an extra field (sigma) was added to the secret key structure to enable implicit rejection of malformed ciphertexts. The logic to retrieve the public key from the secret key in the decapsulation function was not updated accordingly. As a result, sigma is treated as part of the public key. Later in the decapsulation call, a incorrectly constructed comparison check allows this error to go through undetected. Due to how these two bugs interfere with each other, the decapsulation function never uses sigma to perform implicit rejection; instead, it accepts malformed ciphertexts and returns shared secrets based on their decryptions.
References
This issue was first reported in OQS https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-gpf4-vrrw-r8v7. The vulnerability was identified by Célian Glénaz and Dahmun Goudarzi (Quarkslab).
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "pqcrypto-hqc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1240",
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-11T21:47:37Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nA correctness error has been identified in the reference implementation of the HQC key encapsulation mechanism. Due to an indexing error, part of the secret key is incorrectly treated as non-secret data. This results in an incorrect shared secret value being returned when the decapsulation function is called with a malformed ciphertext.\n\nNo concrete attack exploiting the error has been identified at this point. However, the error involves mishandling of the secret key, and in principle this presents a security vulnerability.\n\n### Patches\n\nPQClean does not have a release process, as it is a collection of implementations. If you obtained a HQC implementation from PQClean, please update to a version that includes the fixes proposed in https://github.com/PQClean/PQClean/pull/578. \n\nPlease also [refer to our security policy](https://github.com/PQClean/PQClean/blob/master/SECURITY.md).\n\n### Workarounds\n\nManually patching is always possible\n\n### Further details\n\nIn the 2023/04/30 version of the HQC specification and reference implementation, an extra field (sigma) was added to the secret key structure to enable implicit rejection of malformed ciphertexts. The logic to retrieve the public key from the secret key in the decapsulation function was not updated accordingly. As a result, sigma is treated as part of the public key. Later in the decapsulation call, a incorrectly constructed comparison check allows this error to go through undetected. Due to how these two bugs interfere with each other, the decapsulation function never uses sigma to perform implicit rejection; instead, it accepts malformed ciphertexts and returns shared secrets based on their decryptions.\n\n### References\n\nThis issue was first reported in OQS https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-gpf4-vrrw-r8v7. The vulnerability was identified by C\u00e9lian Gl\u00e9naz and Dahmun Goudarzi (Quarkslab).\n",
"id": "GHSA-753p-wrj5-g8fj",
"modified": "2024-12-11T21:48:32Z",
"published": "2024-12-11T21:47:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PQClean/PQClean/security/advisories/GHSA-753p-wrj5-g8fj"
},
{
"type": "WEB",
"url": "https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-gpf4-vrrw-r8v7"
},
{
"type": "WEB",
"url": "https://github.com/PQClean/PQClean/pull/578"
},
{
"type": "WEB",
"url": "https://github.com/rustpq/pqcrypto/commit/0c07fa8badbf44f67d3ff1571df31ca54e5228c0"
},
{
"type": "PACKAGE",
"url": "https://github.com/PQClean/PQClean"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "PQClean has a correctness error in HQC decapsulation"
}
GHSA-7852-W36X-6MF6
Vulnerability from github – Published: 2024-05-15 22:08 – Updated: 2024-05-15 22:08The Laravel Encrypter component is susceptible to a vulnerability that may result in decryption failure, leading to an unexpected return of false. Exploiting this issue requires the attacker to manipulate the encrypted payload before decryption. When combined with weak type comparisons in the application's code, such as the example below:
<?php
$decyptedValue = decrypt($secret);
if ($decryptedValue == '') {
// Code is run even though decrypted value is false...
}
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "laravel/framework"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.5.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "laravel/framework"
},
"ranges": [
{
"events": [
{
"introduced": "5.6.0"
},
{
"fixed": "5.6.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1240"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-15T22:08:06Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The Laravel Encrypter component is susceptible to a vulnerability that may result in decryption failure, leading to an unexpected return of `false`. Exploiting this issue requires the attacker to manipulate the encrypted payload before decryption. When combined with weak type comparisons in the application\u0027s code, such as the example below:\n\n```\n\u003c?php\n\n$decyptedValue = decrypt($secret);\n\nif ($decryptedValue == \u0027\u0027) {\n // Code is run even though decrypted value is false...\n}\n```",
"id": "GHSA-7852-w36x-6mf6",
"modified": "2024-05-15T22:08:06Z",
"published": "2024-05-15T22:08:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/laravel/framework/commit/28e53f23a76206fb130e9a54eb95aa3f010e79c9"
},
{
"type": "WEB",
"url": "https://github.com/laravel/framework/commit/886d261df0854426b4662b7ed5db6a1c575a4279"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2018-03-30-1.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/laravel/framework"
},
{
"type": "WEB",
"url": "https://medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Laravel Encrypter Component Potential Decryption Failure Leading to Unintended Behavior"
}
Mitigation MIT-55
Require compliance with the strongest-available recommendations from trusted parties, and require that compliance must be kept up-to-date, since recommendations evolve over time. For example, US government systems require FIPS 140-3 certification, which supersedes FIPS 140-2 [REF-1192] [REF-267].
Mitigation
Ensure that the architecture/design uses the strongest-available primitives and algorithms from trusted parties. For example, US government systems require FIPS 140-3 certification, which supersedes FIPS 140-2 [REF-1192] [REF-267].
Mitigation MIT-54
Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. As with all cryptographic mechanisms, the source code should be available for analysis. If the algorithm may be compromised when attackers find out how it works, then it is especially weak.
Mitigation
Try not to use cryptographic algorithms in novel ways or with new modes of operation even when you "know" it is secure. For example, using SHA-2 chaining to create a 1-time pad for encryption might sound like a good idea, but one should not do this.
Mitigation MIT-52
Ensure that the design can replace one cryptographic primitive or algorithm with another in the next generation ("cryptographic agility"). Where possible, use wrappers to make the interfaces uniform. This will make it easier to upgrade to stronger algorithms. This is especially important for hardware, which can be more difficult to upgrade quickly than software; design the hardware at a replaceable block level.
Mitigation
Do not use outdated or non-compliant cryptography algorithms. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong [REF-267].
Mitigation
Do not use a linear-feedback shift register (LFSR) or other legacy methods as a substitute for an accepted and standard Random Number Generator.
Mitigation
Do not use a checksum as a substitute for a cryptographically generated hash.
Mitigation
Strategy: Libraries or Frameworks
Use a vetted cryptographic library or framework. Industry-standard implementations will save development time and are more likely to avoid errors that can occur during implementation of cryptographic algorithms. However, the library/framework could be used incorrectly during implementation.
Mitigation
When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for the prevention of common attacks.
Mitigation
Do not store keys in areas accessible to untrusted agents. Carefully manage and protect the cryptographic keys (see CWE-320). If the keys can be guessed or stolen, then the strength of the cryptography algorithm is irrelevant.
CAPEC-97: Cryptanalysis
Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: Total Break (finding the secret key), Global Deduction (finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key), Information Deduction (gaining some information about plaintexts or ciphertexts that was not previously known) and Distinguishing Algorithm (the attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits).