Encryption/Decryption Bugs (ENC) Class
We define Encryption/Decryption Bugs (ENC) as:
Encryption Bugs: The software does not properly transform sensitive data (plaintext) into unintelligible form (ciphertext) using a cryptographic algorithm and key(s).
Decryption Bugs: The software does not properly transform ciphertext into plaintext using a cryptographic algorithm and key(s).
Note that "transform" is for confidentiality.
Fig. 1 depicts ENC causes, attributes and consequences.
Fig 1. Encryption/Decryption Bugs (ENC) Class - click on image for detailed view.
Sensitive Data – Credentials, System Data, State Data, Cryptographic Data, Digital Documents.
This is secret (confidential) data. Credentials include Password, Token, Smart Card, Digital Certificate, Biometrics (fingerprint, hand configuration, retina, iris, voice.) System Data could be configurations, logs, Web usage. Cryptographic Data is hashes, keys, keying material. Keying material is cryptographic keys, initialization vectors, shared secrets, domain parameters, random bits (seeds, salts, nonces).
Data State – Stored, Transferred.
This reflects if data is in rest or use, or if data is in transit. Secure store is
needed for data that is in rest or use from files (e.g. ini, temp, configuration, log server, debug, cleanup, email attachment, login buffer,
executable, backup, core dump, access control list, private data index), directories
(Web root, FTP root, CVS repository), registry, cookies, source code & comments, GUI,
environmental variables. Secure transfer is needed also for data in transit between
processes or over a network.
Algorithm – Symmetric, Asymmetric.
This is the key encryption scheme used to securely store/transfer sensitive data. Symmetric (secret) key algorithms (e.g. Serpent, Blowfish) use one shared key. Asymmetric (public) key algorithms (e.g. Diffie-Hellman, RSA) use two keys (public, private).
Security Service(s) – Confidentiality (and in some modes of encryption Integrity and Identity Authentication).
This is the security service that was failed by the encryption process. Confidentiality is the main security service provided by encryption. Those marked with ‘~’ are only for some specific modes of encryption.
In the graph of causes, modification of algorithm is remove/change or add a cryptographic step. Improper algorithm or step could be missing, inadequate, weak, risky/broken. Insecure mode of operation leads to weak encryption algorithm. Consequences
ENC is a high level class, so sites do not apply.
Related BF Classes
BF classes related to ENC are: KMN, RND, and IEX.
Related CWEs and SFP
CWEs related to Encryption (although some are not ENC) are: CWE-256, CWE-257, CWE-261, CWE-311, CWE-312, CWE-313, CWE-314, CWE-315, CWE-316, CWE-317, CWE-318, CWE-325, CWE-326, CWE-327, CWE-329, CWE-780.
Application examples are provided here.
 Bojanova, I., Black, P. E., Yesha, Y., Cryptography Classes in Bugs Framework (BF): Encryption Bugs (ENC), Verification Bugs
(VRF), and Key Management Bugs (KMN). IEEE Software Technology Conference (STC 2017), NIST, Gaithersburg, USA. September