logo

Missing Cryptographic Step

Draft Base
Structure: Simple
Description

This vulnerability occurs when a software implementation skips a critical step in a cryptographic process, resulting in security that is significantly weaker than the intended algorithm provides.

Extended Description

Cryptographic algorithms are designed as a sequence of specific, interdependent steps. Each step serves a purpose, such as ensuring randomness, preventing pattern analysis, or binding data together securely. When a developer omits one of these steps—whether during key generation, encryption, decryption, or integrity verification—the entire cryptographic operation becomes fragile. The resulting system may appear to function normally but can be easily broken by attackers using well-known techniques, completely undermining the promised security. This flaw often stems from using incomplete code samples, misunderstanding algorithm specifications, or attempting to 'optimize' performance by removing so-called 'unnecessary' operations. To prevent it, developers should rely on reputable, high-level cryptographic libraries rather than implementing algorithms from scratch. Always follow the official algorithm specification or RFC meticulously, and use established test vectors to verify that every required step is correctly executed in the proper order.
Common Consequences 3
Scope: Access Control

Impact: Bypass Protection Mechanism

Scope: ConfidentialityIntegrity

Impact: Read Application DataModify Application Data

Scope: AccountabilityNon-Repudiation

Impact: Hide Activities
Demonstrative Examples 1
The example code is taken from the HMAC engine inside the buggy OpenPiton SoC of HACK@DAC'21 [REF-1358]. HAMC is a message authentication code (MAC) that uses both a hash and a secret crypto key. The HMAC engine in HACK@DAC SoC uses the SHA-256 module for the calculation of the HMAC for 512 bits messages.

Code Example:

Bad
Verilog

logic [511:0] bigData; ...

hmac hmac(

verilog

.message_i(bigData),** .hash_o(hash), .ready_o(ready), .hash_valid_o(hashValid)

However, this HMAC engine cannot handle messages that are longer than 512 bits. Moreover, a complete HMAC will contain an iterate hash function that breaks up a message into blocks of a fixed size and iterates over them with a compression function (e.g., SHA-256). Therefore, the implementation of the HMAC in OpenPiton SoC is incomplete. Such HMAC engines will not be used in real-world applications as the messages will usually be longer than 512 bits. For instance, OpenTitan offers a comprehensive HMAC implementation that utilizes a FIFO for temporarily storing the truncated message, as detailed in [REF-1359].
To mitigate this, implement the iterative function to break up a message into blocks of a fixed size.
Observed Examples 1
CVE-2001-1585Missing challenge-response step allows authentication bypass using public key.
References 2
hmac_wrapper.sv
2021
https://github.com/HACK-EVENT/hackatdac21/blob/main/piton/design/chip/tile/ariane/src/hmac/hmac_wrapper.sv#L41(2023-07-15)
ID: REF-1358
HMAC HWIP Technical Specification
2023
https://opentitan.org/book/hw/ip/hmac/(2023-10-05)
ID: REF-1359
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Not Technology-Specific : Undetermined
Modes of Introduction
Implementation
Requirements
Related Attack Patterns
Functional Areas
  1. Cryptography
Related Weaknesses
ChildOf: Improper Following of Specification by Caller (CWE-573)
PeerOf: Improperly Implemented Security Check for Standard (CWE-358)
Taxonomy Mapping
  • PLOVER
  • OWASP Top Ten 2007
  • OWASP Top Ten 2007
Notes
RelationshipOverlaps incomplete/missing security check.
RelationshipCan be resultant.