Insecure encryption algorithm - Insecure Elliptic Curve
Need
Secure encryption
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Crypto package for cryptographic operations in Elixir
Description
Non compliant code
defmodule MyApp.Insecure do
def encrypt_data(data) do
private_key = :crypto.generate_key(:ecdh, :secp160r1)
{:ok, cipher_text} = :crypto.private_encrypt(:ecdh, data, private_key, :aes_cbc128)
cipher_text
end
end
In this insecure code example, the :secp160r1 elliptic curve is used, which is considered weak and therefore insecure. The key generated using this curve is then used to encrypt the data using AES encryption. The weak key might make the encryption vulnerable to attacks.
Steps
- Use a secure elliptic curve when generating the key, such as :secp384r1.
- Ensure that all the components of the encryption are secure, including the key, the algorithm, and the cipher mode.
Compliant code
defmodule MyApp.Secure do
def encrypt_data(data) do
private_key = :crypto.generate_key(:ecdh, :secp384r1)
{:ok, cipher_text} = :crypto.private_encrypt(:ecdh, data, private_key, :aes_cbc128)
cipher_text
end
end
In this secure code example, the :secp384r1 elliptic curve is used, which is considered secure. The key generated using this curve is then used to encrypt the data using AES encryption. The secure key enhances the security of the encryption.