Use of a Key Past its Expiration Date

Draft Base

Structure: Simple

Description

This vulnerability occurs when an application continues to use a cryptographic key or password after its designated expiration date. Doing so dramatically increases the security risk by giving attackers more time to discover or crack the key.

Extended Description

Using a key past its expiration date significantly weakens your security posture. While an expired key isn't automatically compromised, the longer it remains active, the greater the chance it could be discovered through brute-force attacks, leaks, or advancing computational power. This extended usage window directly undermines the cryptographic strength you initially implemented. To maintain robust security, you must proactively manage key lifecycles. Establish and enforce a key rotation schedule that replaces keys within a timeframe appropriate for their algorithm and bit strength. Regular rotation limits the potential damage if a key is exposed and aligns with security best practices for data protection.

Common Consequences 1

Scope: Access Control

Impact: Bypass Protection MechanismGain Privileges or Assume Identity

The cryptographic key in question may be compromised, providing a malicious user with a method for authenticating as the victim.

Potential Mitigations 1

Phase: Architecture and Design

Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible.

Demonstrative Examples 1

The following code attempts to verify that a certificate is valid.

Code Example:

Bad

//do stuff* }

The code checks if the certificate is not yet valid, but it fails to check if a certificate is past its expiration date, thus treating expired certificates as valid.

Observed Examples 1

CVE-2021-33020Picture Archiving and Communication System (PACS) system for hospitals uses a cryptographic key or password past its expiration date

References 2

24 Deadly Sins of Software Security

Michael Howard, David LeBlanc, and John Viega

McGraw-Hill

2010

ID: REF-44

The CLASP Application Security Process

Secure Software, Inc.

2005

https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)

ID: REF-18

Likelihood of Exploit

Low

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Architecture and Design

Related Weaknesses

ChildOf:

Operation on a Resource after Expiration or Release (CWE-672)

PeerOf:

Improper Validation of Certificate Expiration (CWE-298)

Taxonomy Mapping

CLASP