forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathBrokenCryptoAlgorithm.qhelp
More file actions
70 lines (60 loc) · 2.25 KB
/
BrokenCryptoAlgorithm.qhelp
File metadata and controls
70 lines (60 loc) · 2.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Using broken or weak cryptographic algorithms may compromise
security guarantees such as confidentiality, integrity, and
authenticity.
</p>
<p>
Many cryptographic algorithms are known to be weak or flawed. The
security guarantees of a system often rely on the underlying
cryptography, so using a weak algorithm can have severe consequences.
For example:
</p>
<ul>
<li>
If a weak encryption algorithm is used, an attacker may be able to
decrypt sensitive data.
</li>
<li>
If a weak hashing algorithm is used to protect data integrity, an
attacker may be able to craft a malicious input that has the same
hash as a benign one.
</li>
<li>
If a weak algorithm is used for digital signatures, an attacker may
be able to forge signatures and impersonate legitimate users.
</li>
</ul>
</overview>
<recommendation>
<p>
Ensure that you use a strong, modern cryptographic
algorithm. Use at least AES-128 or RSA-2048 for
encryption, and SHA-2 or SHA-3 for secure hashing.
</p>
</recommendation>
<example>
<p>
The following code shows an example of using the builtin
cryptographic library of NodeJS to encrypt some secret
data. When creating a <code>Cipher</code> instance to encrypt
the secret data with, you must specify the encryption
algorithm to use. The first example uses DES, which is an
older algorithm that is now considered weak. The second
example uses AES, which is a strong modern algorithm.
</p>
<sample src="examples/BrokenCryptoAlgorithm.js" />
</example>
<references>
<li>NIST, FIPS 140 Annex a: <a href="http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf"> Approved Security Functions</a>.</li>
<li>NIST, SP 800-131A: <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf"> Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths</a>.</li>
<li>OWASP: <a
href="https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption">Rule
- Use strong approved cryptographic algorithms</a>.
</li>
</references>
</qhelp>