Exploring CWE-325: Missing Cryptographic Step
Introduction
The OWASP Top Ten list provides in-depth information about the most common security issues facing web applications. Number two on the list is A02:2021 – Cryptographic Failures, which covers a wide range of common mistakes.
Cryptographic algorithms and protocols are carefully designed processes where each step is likely critical to the security of the protocol. CWE-325 is one of the vulnerabilities covered by the OWASP list and focuses on the impacts of missing one of these crucial steps.
Cryptography is a Delicate Process
The most secure cryptographic algorithm is also the simplest. The one-time pad uses exclusive-or (XOR) to combine each bit of the plaintext with the corresponding bit of a secret key. As long as that key is random and used only once, the protocol is information-theoretically secure.
Since it’s often not practical to share massive amounts of random key material for use with the one-time pad, weaker and more complex algorithms are what is used on a day-to-day basis. These algorithms, like the Advanced Encryption Standard (AES), are often constructed as a series of steps that may be repeated multiple times. For example, AES uses 10,12, or 14 multi-step rounds to encrypt a 128-bit chunk of plaintext.
Beyond the fundamental cryptographic algorithms, cryptographic protocols also often contain multiple steps. For example, handshake protocols such as the ones used by the Transport Layer Security (TLS) protocol commonly involve sending multiple messages back and forth between the client and the server. While some of these messages may just be used to agree on configuration information, others are essential to the security of the protocol.
For example, authentication protocols commonly involve a step where one or both parties send the other a publicly known message encrypted with a secret key. This proves that the party knows the secret key and is not just replaying a valid authentication session to gain access.
In most cases, each step in a cryptographic algorithm or protocol is essential to its security. Known attacks exist against versions of AES with fewer rounds that are ineffective against the same protocol. An authentication protocol without the challenge-response step may be vulnerable to replay attacks. As a result, a failure to perform every step in a cryptographic algorithm or protocol – even if it seems unimportant – may undermine the security of the protocol.
Why Cryptographic Implementations Might Be Missing Critical Steps
Most cryptographic algorithms are in the public domain with instructions or descriptions of how they are supposed to work. However, implementations of these algorithms may be missing crucial steps for a few different reasons, including:
- Imperfect Implementations: Cryptographic algorithms are commonly defined in academic papers and later implemented as executable code. If the developer that implements a cryptographic algorithm or protocol has an incomplete understanding of how the protocol works, then it is possible that they might miss critical steps.
- Poor Documentation: If implementing strong cryptography with a library requires multiple steps, then developers need clear documentation to ensure that everything is performed properly. If it is possible to write code that is missing steps but runs without errors and if documentation is poor, then developers may inadvertently miss critical steps when implementing cryptography.
- Resource Constraints: Cryptographic algorithms and protocols commonly include resource-intensive operations. If developers are writing for resource-constrained devices, they may eliminate these expensive operations if it is not clear that they are important to the security of the protocol.
Case Study: Bluetooth ECC Validation
Many Bluetooth applications use the Elliptic Curve Diffie-Hellman (ECDH) algorithm during the device pairing process to generate a shared secret key from devices’ public/private keypairs. ECC algorithms take advantage of the fact that certain operations on an elliptic curve (point addition and multiplication) are equivalent to the integer operations commonly used in asymmetric cryptography (multiplication and exponentiation). Additionally, ECC consumes less power and uses shorter keys to achieve the same level of security as integer-based variants, making it ideal for resource-constrained devices communicating over Bluetooth.
Like many cryptographic protocols, the Bluetooth pairing protocol requires both devices to agree on the configuration parameters used. ECC can use a variety of different elliptic curves, and some have better security than others.
The issue tracked by CVE-2018-5383 is that some implementations of the ECC-based pairing protocol did not perform full validation of the ECC parameters. As a result, an attacker could inject an invalid private key into the communication. This could allow them to learn the shared session key with a high probability of success. With the shared secret key, the attacker could read all messages and potentially forge messages that a device would believe originated from the other party.
Implementing Cryptography Correctly
Cryptographic algorithms and protocols can be complex, multi-stage processes. However, in most cases, these steps are necessary to the security of the protocol and eliminating even seeming inconsequential steps can have dramatic impacts. Some best practices when working with cryptography include:
- When possible, use a trusted library implementation of an application or protocol
- Read and follow documentation for cryptographic algorithms
- When implementing cryptography, don’t try to skip or optimize “unnecessary” or “inefficient” steps
Up Next
To help build understanding of how cryptography can go wrong and how to fix it, we’ll continue to dive deep into prevention measures and most of the 29 CWEs related to OWASP’s A02:2021 – Cryptographic Failures vulnerability in a series of blogs. Each blog will describe the weakness, why it happens, a real-world case study, and recommended mitigations.
We’re very committed to improving the state of cryptography and data security by sharing knowledge and helping to correct common misconceptions about how cryptography works and how to use it properly. To keep up with this series and our other research and cryptography content, make sure to subscribe to our blog in the page footer below.