Insecure Encryption Algorithm - DSA
Need
To secure the information transmitted between the client and the server using cryptographically secure algorithms.
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Plug (1.11.1 and above) for building composable web applications in Elixir
- Usage of Plug.Crypto for cryptographic operations (version 1.2.0 and above)
Description
Non compliant code
defmodule MyApp.Encryption do
def encrypt(data) do
{:ok, key} = Plug.Crypto.KeyGenerator.generate(:dsa, {1024, 160}, :sha)
{:ok, cipher} = :crypto.block_encrypt(:des, key, data)
{:ok, cipher}
end
end
This code is vulnerable because it uses the DSA encryption algorithm which is considered insecure. It could allow an attacker to decrypt the information transmitted between the client and the server.
Steps
- Replace the insecure DSA algorithm with a secure one like RSA or ECC.
- Ensure to use the appropriate key length based on the encryption algorithm.
Compliant code
defmodule MyApp.Encryption do
def encrypt(data) do
{:ok, key} = Plug.Crypto.KeyGenerator.generate(:rsa, :sha256)
{:ok, cipher} = :crypto.block_encrypt(:aes, key, data)
{:ok, cipher}
end
end
In this secure code example, we've replaced the DSA encryption algorithm with RSA, which is considered secure. We've also switched the symmetric encryption algorithm from DES to AES.