cwe-326-inadequate-encryption-strength
SKILL.md
CWE-326 Inadequate Encryption Strength
Description
Inadequate Encryption Strength
Reference: https://cwe.mitre.org/data/definitions/326.html
OWASP Category: A02:2021 – Cryptographic Failures
Vulnerable Pattern
❌ Example 1
public ResponseEntity<GenericVulnerabilityResponseBean<String>> getVulnerablePayloadLevel2(
@RequestParam Map<String, String> queryParams) {
String password = queryParams.get(PASSWORD_PARAM);
if (password == null || password.isEmpty()) {
return new ResponseEntity<>(
new GenericVulnerabilityResponseBean<>(
"CHALLENGE: A user's password is stored as SHA1 hash: "
+ LEVEL2_HASH
+ " — Crack it and enter the original password!",
false),
HttpStatus.OK);
}
String guessHash = DigestUtils.sha1Hex(password);
if (guessHash.equals(LEVEL2_HASH)) {
return new ResponseEntity<>(
new GenericVulnerabilityResponseBean<>(
"Correct! The password was '"
+ LEVEL2_SECRET
+ "'. SHA1 is deprecated — it is vulnerable to collision"
+ " attacks and hashes can be reversed using rainbow tables.",
true),
HttpStatus.OK);
} else {
// ... (truncated for brevity)
Deterministic Fix
✅ Secure Implementation
public ResponseEntity<GenericVulnerabilityResponseBean<String>> getVulnerablePayloadLevel4(
@RequestParam Map<String, String> queryParams) {
String password = queryParams.get(PASSWORD_PARAM);
if (password == null || password.isEmpty()) {
return new ResponseEntity<>(
new GenericVulnerabilityResponseBean<>(
"CHALLENGE: The system 'encrypts' passwords using Base64 encoding. "
+ "The stored password is: "
+ LEVEL4_ENCODED
+ " — Decode it and enter the original password!",
false),
HttpStatus.OK);
}
if (password.equals(LEVEL4_SECRET)) {
return new ResponseEntity<>(
new GenericVulnerabilityResponseBean<>(
"Correct! The password was '"
+ LEVEL4_SECRET
+ "'. Base64 is an encoding, NOT encryption."
+ " It provides zero security — anyone can decode it instantly.",
true),
HttpStatus.OK);
} else {
// ... (truncated for brevity)
Detection Pattern
Look for these patterns in your codebase:
# Find key size specifications
grep -rn "KeyGenerator\|KeyPairGenerator" --include="*.java" | grep -E "[0-9]+"
# Find weak key sizes
grep -rn "512\|1024" --include="*.java" | grep -i key
Remediation Steps
-
Use RSA keys of at least 2048 bits (preferably 4096)
-
Use AES-256 instead of AES-128
-
Use strong key derivation functions (PBKDF2, Argon2)
-
Ensure sufficient iterations in key derivation
Key Imports
import javax.crypto.KeyGenerator;
import java.security.KeyPairGenerator;
import javax.crypto.SecretKeyFactory;
Verification
After remediation:
-
Re-run SAST scan - CWE-326 should be resolved
-
Verify RSA keys are >= 2048 bits
-
Verify AES keys are >= 128 bits (256 preferred)
Trigger Examples
Fix CWE-326 vulnerability
Resolve Inadequate Encryption Strength issue
Secure this Java code against inadequate encryption strength
SAST reports CWE-326
Common Vulnerable Locations
| Layer | Files | Patterns |
|---|
| Security | *Crypto*.java | Key generation |
| Configuration | *Config.java | Security config |
References
Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07
Weekly Installs
1
Repository
developerscoffe…y-skillsFirst Seen
10 days ago
Security Audits
Installed on
mcpjam1
claude-code1
replit1
junie1
windsurf1
zencoder1