Use of a broken or weak cryptographic algorithm¶

ID: rb/weak-cryptographic-algorithm Kind: problem Security severity: 7.5 Severity: warning Precision: high Tags: - security - external/cwe/cwe-327 Query suites: - ruby-code-scanning.qls - ruby-security-extended.qls - ruby-security-and-quality.qls 

Click to see the query in the CodeQL repository

Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted or forged by an attacker.

Many cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that encrypted or hashed data is less secure than it appears to be.

Recommendation¶

Ensure that you use a strong, modern cryptographic algorithm, such as AES-128 or RSA-2048.

Example¶

The following code uses the OpenSSL library to encrypt some secret data. When you create a cipher using OpenSSL you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a stronger modern algorithm.

require 'openssl' class Encryptor  attr_accessor :secret_key  def encrypt_message_weak(message)  cipher = OpenSSL::Cipher.new('des') # BAD: weak encryption  cipher.encrypt  cipher.key = secret_key  cipher.update(message)  cipher.final  end  def encrypt_message_strong(message)  cipher = OpenSSL::Cipher::AES128.new # GOOD: strong encryption  cipher.encrypt  cipher.key = secret_key  cipher.update(message)  cipher.final  end end 

References¶

NIST, FIPS 140 Annex a: Approved Security Functions.
NIST, SP 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.
OWASP: Rule - Use strong approved cryptographic algorithms.
Common Weakness Enumeration: CWE-327.

© GitHub, Inc.
Terms
Privacy