Skip to main content

Insecure encryption algorithm

Description

The application uses insecure encryption algorithms.

Impact

  • Reverse the ciphertext and collect sensible information.
  • Tamper protected data by exploiting algorithm collisions.

Recommendation

Use algorithms considered cryptographically secure.

Threat

Anonymous attacker from adjacent network.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: H
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: F
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:X
  • Score:
    • Base: 3.1
    • Temporal: 2.9
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

Secure encryption library

//Use alternative libraries that comply with the required security standards
const forge = require('node-forge');

let keyString = "*4wQZgn+U2RW_mb=";
const key = Buffer.from(keyString.substring(0, 8), "utf8");

const cipher = forge.cipher.createCipher('AES-CBC', key);

Secure hash examples

using System.Security.Cryptography;

namespace Cypher_Example{
class CypherExample{
public static void Main(){
var hashProvider3 = new RC2CryptoServiceProvider();
}
}
}

Non compliant code

Examples with an insecure encryption library

const crypto = require("crypto");

let keyString = "*4wQZgn+U2RW_mb=";
const key = Buffer.from(keyString.substring(0, 8), "utf8");

const cipher = crypto.createCipheriv("des-ecb", key, "");

Insecure hash examples

using System.Security.Cryptography;

namespace Cypher_Example{
class CypherExample{
public static void Main(){
HMACMD5 myAes = HMACMD5.Create();
DES myAes = DES.Create();
TripleDES myAes = TripleDES.Create();
var hashProvider3 = new RC2CryptoServiceProvider();
}
}
}

Example using an obsolete key derivation

using System;
class TestClass{
public void TestMethod(Rfc2898DeriveBytes rfc2898DeriveBytes, string algname, string alghashname, int keySize, byte[] rgbIV){
System.Security.Cryptography.rfc2898DeriveBytes.CryptDeriveKey(algname, alghashname, keySize, rgbIV);
byte[] pwd = Encoding.Unicode.GetBytes(Console.ReadLine());
byte[] salt = CreateRandomSalt(7);
PasswordDeriveBytes pdb = new PasswordDeriveBytes(pwd, salt);
}
}
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
public class Main {
public static void main(String[] args) {
Hashing.md5().hashString(password,StandardCharsets.UTF_8).toString();
Hashing.sha256().hashString(password,StandardCharsets.UTF_8).toString();
Cipher c = Cipher.getInstance("AES");
Cipher c = Cipher.getInstance("DES");
Cipher c = Cipher.getInstance("DESede");
Cipher c = Cipher.getInstance("RSA");
Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
Cipher c = Cipher.getInstance("AES/CBC/NoPadding");
Cipher c = Cipher.getInstance("AES/ECB/NoPadding");
Cipher c = Cipher.getInstance("AES/ECB/PKCS5Padding");
Cipher c = Cipher.getInstance("DES/CBC/NoPadding");
Cipher c = Cipher.getInstance("DES/CBC/PKCS5Padding");
Cipher c = Cipher.getInstance("DES/ECB/NoPadding");
Cipher c = Cipher.getInstance("DES/ECB/PKCS5Padding");
}
}

Requirements