CWE-325: Missing Cryptographic Step
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Scope
Impact
Scope
Impact
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
The example code is taken from the HMAC engine inside the buggy OpenPiton SoC of HACK@DAC'21 [REF-1358]. HAMC is a message authentication code (MAC) that uses both a hash and a secret crypto key. The HMAC engine in HACK@DAC SoC uses the SHA-256 module for the calculation of the HMAC for 512 bits messages.
However, this HMAC engine cannot handle messages that are longer than 512 bits. Moreover, a complete HMAC will contain an iterate hash function that breaks up a message into blocks of a fixed size and iterates over them with a compression function (e.g., SHA-256). Therefore, the implementation of the HMAC in OpenPiton SoC is incomplete. Such HMAC engines will not be used in real-world applications as the messages will usually be longer than 512 bits. For instance, OpenTitan offers a comprehensive HMAC implementation that utilizes a FIFO for temporarily storing the truncated message, as detailed in [REF-1359].
Observed CVE Examples (1)
Missing challenge-response step allows authentication bypass using public key.
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-325: Missing Cryptographic Step?+
CWE-325: Missing Cryptographic Step is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
What are the security consequences of Missing Cryptographic Step?+
If exploited, CWE-325 (Missing Cryptographic Step) it can compromise Access Control, Confidentiality, Integrity, Accountability and Non-Repudiation, leading to outcomes such as Bypass Protection Mechanism, Read Application Data, Modify Application Data and Hide Activities.
Which programming languages are affected by Missing Cryptographic Step?+
CWE-325 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Missing Cryptographic Step?+
MITRE documents real CVEs mapped to CWE-325, including CVE-2001-1585. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-325 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.