- Description: Developers choose a weak or outdated cipher algorithm (e.g., DES, RC4) or a weak mode of operation (e.g., ECB) available within Crypto++ for encryption. An attacker could passively eavesdrop on encrypted communications or actively manipulate encrypted data. This is a direct misuse of Crypto++'s available options.
- Impact:
- Confidentiality breach: Sensitive data encrypted with weak ciphers can be decrypted.
- Integrity violation: Data encrypted with weak modes (like ECB) can be altered.
- Loss of user trust, legal/regulatory consequences.
- Affected Crypto++ Component:
BlockCipherimplementations (e.g.,DES,AES,Blowfish)StreamCipherimplementations (e.g.,RC4,Salsa20)- Mode of operation classes (e.g.,
ECB_Mode,CBC_Mode,CTR_Mode)
- Risk Severity: High
- Mitigation Strategies:
- Enforce Strong Defaults: Configure the application to default to strong ciphers (AES-256, ChaCha20) and authenticated encryption (GCM, CCM).
- Deprecate/Disable Weak Options: Remove or disable weak ciphers/modes in the build or via runtime checks.
- Code Review and Static Analysis: Detect the use of weak primitives.
- Developer Education: Train developers on appropriate algorithm/mode selection.
- Impact:
- Description: The application uses Crypto++'s
CBC_Modewith padding (e.g., PKCS#7) but fails to handle padding errors correctly. An attacker sends crafted ciphertexts, observing error responses or timing differences to decrypt the ciphertext without the key. This is a direct misuse of theCBC_Modeimplementation.- Impact:
- Confidentiality breach: Decrypt arbitrary ciphertexts.
- Potential for further attacks.
- Affected Crypto++ Component:
CBC_Mode(specifically with padding)- Decryption functions within
CBC_Mode
- Risk Severity: High
- Mitigation Strategies:
- Use Authenticated Encryption: Prioritize GCM, CCM, or EAX, which are inherently resistant.
- Constant-Time Padding Verification: If CBC must be used, implement constant-time padding verification. Review Crypto++'s implementation for constant-time guarantees.
- Generic Error Handling: Return a generic error message, regardless of the padding error.
- Impact:
- Description: The application uses a weak key derivation function (KDF) provided by Crypto++, such as a low-iteration PBKDF2 or a simple hash-based KDF. An attacker can perform brute-force or dictionary attacks on the password to derive the encryption key. This is a direct misuse of Crypto++'s KDF options.
- Impact:
- Key compromise: Obtain the encryption key.
- Loss of confidentiality and integrity.
- Affected Crypto++ Component:
PKCS5_PBKDF2_HMAC(if used with low iteration count)PasswordBasedKeyDerivationFunction(base class, if a weak derived class is used)
- Risk Severity: Critical
- Mitigation Strategies:
- Use Strong KDFs: Use Argon2 (Argon2id). If PBKDF2 must be used, use a very high iteration count (hundreds of thousands or more).
- Salting: Use a unique, random salt (at least 128 bits).
- Consider Alternatives: Use a dedicated key management library or HSM.
- Impact:
- Description: The application relies on a weak or improperly configured random number generator (RNG) within Crypto++. This could involve using a non-cryptographic PRNG or failing to properly seed
AutoSeededRandomPool. An attacker could predict generated random numbers, compromising key generation, IVs, and nonces.- Impact:
- Key Compromise: Predictable keys.
- Replay Attacks: Predictable nonces.
- Loss of confidentiality and integrity.
- Affected Crypto++ Component:
RandomNumberGenerator(base class)AutoSeededRandomPool(if improperly seeded)OS_GenerateRandomBlock(if the OS RNG is weak or unavailable)
- Risk Severity: Critical
- Mitigation Strategies:
- Use a Strong RNG: Ensure Crypto++ uses a CSPRNG.
AutoSeededRandomPoolis usually good, but verify proper seeding. - OS-Provided RNG: Prefer the OS's CSPRNG via
OS_GenerateRandomBlock. - External Entropy: Seed with additional entropy from a trusted source.
- Avoid Weak RNGs: Never use
std::rand()or Mersenne Twister for cryptography.
- Use a Strong RNG: Ensure Crypto++ uses a CSPRNG.
- Impact:
- Description:
SecByteBlockis misused, leading to vulnerabilities. Examples include accessing the underlying data pointer without bounds checking or failing to zeroize memory after use. This is a direct misuse of a core Crypto++ memory management class.- Impact:
- Information Leakage: Sensitive data remains in memory.
- Buffer Overflows: Incorrect pointer arithmetic.
- Affected Crypto++ Component:
SecByteBlock
- Risk Severity: High
- Mitigation Strategies:
- Use
SecByteBlockAPI: Always use provided API methods. Avoid direct pointer manipulation. - Zeroize Memory: Ensure memory is zeroized when no longer needed.
SecByteBlock's destructor should handle this, but explicit zeroization is good practice. Usememset_sor Crypto++'sসেক্রেtZeroize. - Code Review: Review code using
SecByteBlock.
- Use
- Impact:
- Description: The application uses Crypto++ for digital signature verification but fails to properly validate the signature or the certificate chain (if applicable). This is a direct misuse of Crypto++'s signature verification APIs. An attacker could forge a signature or use an invalid certificate.
- Impact:
- Integrity Violation: Accept modified or forged data.
- Loss of Trust.
- Affected Crypto++ Component:
- Signature verification functions (e.g.,
RSASS<>::Verifier,ECDSA<>::Verifier,DSA::Verifier) - Hash functions used in signature schemes (e.g.,
SHA256,SHA3_256)
- Signature verification functions (e.g.,
- Risk Severity: Critical
- Mitigation Strategies:
- Complete Verification: Implement full verification:
- Check signature against the public key.
- Validate the certificate chain (if applicable).
- Check for certificate revocation.
- Strong Algorithms: Use strong signature algorithms.
- Code Review: Thoroughly review verification code.
- Complete Verification: Implement full verification:
- Impact: