Use of a broken or risky cryptographic algorithm¶

ID: cpp/weak-cryptographic-algorithm
Kind: problem
Security severity: 7.5
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-327
Query suites:
   - cpp-code-scanning.qls
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.

Many cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data.

Recommendation¶

Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048.

Example¶

The following code shows an example of using the advapi windows API to decrypt some data. When creating a key, you must specify which algorithm to use. The first example uses DES which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.

void advapi() {
  HCRYPTPROV hCryptProv;
  HCRYPTKEY hKey;
  HCRYPTHASH hHash;
  // other preparation goes here

  // BAD: use 3DES for key
  CryptDeriveKey(hCryptProv, CALG_3DES, hHash, 0, &hKey);

  // GOOD: use AES
  CryptDeriveKey(hCryptProv, CALG_AES_256, hHash, 0, &hKey);
}

References¶

NIST, FIPS 140 Annex a: Approved Security Functions.
NIST, SP 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.
Common Weakness Enumeration: CWE-327.

© GitHub, Inc.
Terms
Privacy

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Use of a broken or risky cryptographic algorithm¶

Recommendation¶

Example¶

References¶

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.