codeql/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp at 2f22acdd062fd00ad3cbcf24a9008dbeeb547817 · owen-mc/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
     <overview>

          <p>
               Using broken or weak cryptographic algorithms may compromise
               security guarantees such as confidentiality, integrity, and
               authenticity.
          </p>

          <p>
               Many cryptographic algorithms are known to be weak or flawed. The
               security guarantees of a system often rely on the underlying
               cryptography, so using a weak algorithm can have severe consequences.
               For example:
          </p>

          <ul>
               <li>
               If a weak encryption algorithm is used, an attacker may be able to
               decrypt sensitive data.
               </li>
               <li>
               If a weak algorithm is used for digital signatures, an attacker may
               be able to forge signatures and impersonate legitimate users.
               </li>
          </ul>

          <p>
               This query alerts on any use of a weak cryptographic algorithm that is
               not a hashing algorithm. Use of broken or weak cryptographic hash
               functions are handled by the
               <code>py/weak-sensitive-data-hashing</code> query.
          </p>

     </overview>
     <recommendation>

          <p>
               Ensure that you use a strong, modern cryptographic
               algorithm, such as AES-128 or RSA-2048.
          </p>

     </recommendation>
     <example>

          <p>
               The following code uses the <code>pycryptodome</code>
               library to encrypt some secret data. When you create a cipher using
               <code>pycryptodome</code> you must specify the encryption
               algorithm to use. The first example uses DES, which is an
               older algorithm that is now considered weak. The second
               example uses AES, which is a stronger modern algorithm.
          </p>

          <sample src="examples/broken_crypto.py" />

          <p>
               NOTICE: the original
               <code><a href="https://pypi.org/project/pycrypto/">pycrypto</a></code>
               PyPI package that provided the <code>Crypto</code> module is not longer
               actively maintained, so you should use the
               <code><a href="https://pypi.org/project/pycryptodome/">pycryptodome</a></code>
               PyPI package instead (which has a compatible API).
          </p>

     </example>

     <references>
          <li>NIST, FIPS 140 Annex a: <a href="http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf"> Approved Security Functions</a>.</li>
          <li>NIST, SP 800-131A: <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf"> Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths</a>.</li>
          <li>OWASP: <a
          href="https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption">Rule
          - Use strong approved cryptographic algorithms</a>.
          </li>
     </references>

</qhelp>