codeql/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp at a8fc10010833c24684e5aa497e51ed1bfa2dbc70 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
     <overview>
          <p>
               Using broken or weak cryptographic algorithms can leave data
               vulnerable to being decrypted or forged by an attacker.
          </p>

          <p>
               Many cryptographic algorithms provided by cryptography
               libraries are known to be weak, or flawed. Using such an
               algorithm means that encrypted or hashed data is less
               secure than it appears to be.
          </p>

          <p>
               This query alerts on any use of a weak cryptographic algorithm, that is
               not a hashing algorithm. Use of broken or weak cryptographic hash
               functions are handled by the
               <code>py/weak-sensitive-data-hashing</code> query.
          </p>

     </overview>
     <recommendation>

          <p>
               Ensure that you use a strong, modern cryptographic
               algorithm, such as AES-128 or RSA-2048.
          </p>

     </recommendation>
     <example>

          <p>
               The following code uses the <code>pycryptodome</code>
               library to encrypt some secret data. When you create a cipher using
               <code>pycryptodome</code> you must specify the encryption
               algorithm to use. The first example uses DES, which is an
               older algorithm that is now considered weak. The second
               example uses AES, which is a stronger modern algorithm.
          </p>

          <sample src="examples/broken_crypto.py" />

          <p>
               NOTICE: the original
               <code><a href="https://pypi.org/project/pycrypto/">pycrypto</a></code>
               PyPI package that provided the <code>Crypto</code> module is not longer
               actively maintained, so you should use the
               <code><a href="https://pypi.org/project/pycryptodome/">pycryptodome</a></code>
               PyPI package instead (which has a compatible API).
          </p>

     </example>

     <references>
          <li>NIST, FIPS 140 Annex a: <a href="http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf"> Approved Security Functions</a>.</li>
          <li>NIST, SP 800-131A: <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf"> Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths</a>.</li>
          <li>OWASP: <a
          href="https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#rule---use-strong-approved-authenticated-encryption">Rule
          - Use strong approved cryptographic algorithms</a>.
          </li>
     </references>

</qhelp>