DerScanner
Home / Vulnerability Database / T-SQL : Weak encryption algorithm
T-SQL

T-SQL : Weak encryption algorithm

Classification

OWASP Top 10 2013
A6-Sensitive Data Exposure
OWASP Top 10 2017
A3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure Design
OWASP MASVS
V3: 3.2.(L1/L2/L1+R/L2+R)V3: 3.4.(L1/L2/L1+R/L2+R)V8: 8.13.(L1+R/L2+R)
OWASP ASVS
Stored CryptographyAuthenticationAuthenticationAuthentication
PCI DSS 4.0
3.6.16.2.48.3.2
HIPAA
§164.312 (a)(2)(iv)
CWE
CWE-327CWE-1032
CWE/SANS Top 25 2011
CWE-327

Overview

The application uses a weak encryption algorithm.

Obsolete encryption algorithms do not provide sufficient protection for applications that work with valuable data. Security of a cryptographic algorithm is determined by the estimated expense of time and resources required to get access to the encrypted data. Constant development of new attacks and increase in hardware performance make previously considered safe algorithms obsolete. For example, DES because of the small key length (56 bits) can be cracked by an exhaustive search.

In order to protect valuable data, use well tested implementations of standard encryption algorithms with sufficiently long keys.

Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.

References

  1. OWASP Top 10 2013-A6-Sensitive Data Exposure
  2. CREATE SYMMETRIC KEY (Transact-SQL)
  3. OWASP Top 10 2017-A3-Sensitive Data Exposure
  4. CWE-327
  5. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
  6. Data Encryption Standard - wikipedia.org
  7. Bleichenbacher’s attack
CRITICAL

DerScanner Severity Score

Do you want to fix T-SQL : Weak encryption algorithm in your application?

See also

T-SQL

T-SQL : Weak hashing algorithm

T-SQL

T-SQL : Weak random number generator

T-SQL

T-SQL : Incorrect comparison with NULL