Insecure encryption algorithm
Description
The application uses insecure encryption algorithms.
Impact
- Reverse the ciphertext and collect sensible information.
- Tamper protected data by exploiting algorithm collisions.
Recommendation
Use algorithms considered cryptographically secure.
Threat
Anonymous attacker from adjacent network.
Expected Remediation Time
⌚ 30 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: A
- Attack complexity: H
- Privileges required: N
- User interaction: N
- Scope: U
- Confidentiality: L
- Integrity: N
- Availability: N
Temporal
- Exploit code madurity: F
- Remediation level: O
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:X
- Score:
- Base: 3.1
- Temporal: 2.9
- Severity:
- Base: Low
- Temporal: Low
Code Examples
Compliant code
Secure encryption library
//Use alternative libraries that comply with the required security standards
const forge = require('node-forge');
let keyString = "*4wQZgn+U2RW_mb=";
const key = Buffer.from(keyString.substring(0, 8), "utf8");
const cipher = forge.cipher.createCipher('AES-CBC', key);
Secure hash examples
using System.Security.Cryptography;
namespace Cypher_Example{
class CypherExample{
public static void Main(){
var hashProvider3 = new RC2CryptoServiceProvider();
}
}
}
Non compliant code
Examples with an insecure encryption library
const crypto = require("crypto");
let keyString = "*4wQZgn+U2RW_mb=";
const key = Buffer.from(keyString.substring(0, 8), "utf8");
const cipher = crypto.createCipheriv("des-ecb", key, "");
Insecure hash examples
using System.Security.Cryptography;
namespace Cypher_Example{
class CypherExample{
public static void Main(){
HMACMD5 myAes = HMACMD5.Create();
DES myAes = DES.Create();
TripleDES myAes = TripleDES.Create();
var hashProvider3 = new RC2CryptoServiceProvider();
}
}
}
Example using an obsolete key derivation
using System;
class TestClass{
public void TestMethod(Rfc2898DeriveBytes rfc2898DeriveBytes, string algname, string alghashname, int keySize, byte[] rgbIV){
System.Security.Cryptography.rfc2898DeriveBytes.CryptDeriveKey(algname, alghashname, keySize, rgbIV);
byte[] pwd = Encoding.Unicode.GetBytes(Console.ReadLine());
byte[] salt = CreateRandomSalt(7);
PasswordDeriveBytes pdb = new PasswordDeriveBytes(pwd, salt);
}
}
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
public class Main {
public static void main(String[] args) {
Hashing.md5().hashString(password,StandardCharsets.UTF_8).toString();
Hashing.sha256().hashString(password,StandardCharsets.UTF_8).toString();
Cipher c = Cipher.getInstance("AES");
Cipher c = Cipher.getInstance("DES");
Cipher c = Cipher.getInstance("DESede");
Cipher c = Cipher.getInstance("RSA");
Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
Cipher c = Cipher.getInstance("AES/CBC/NoPadding");
Cipher c = Cipher.getInstance("AES/ECB/NoPadding");
Cipher c = Cipher.getInstance("AES/ECB/PKCS5Padding");
Cipher c = Cipher.getInstance("DES/CBC/NoPadding");
Cipher c = Cipher.getInstance("DES/CBC/PKCS5Padding");
Cipher c = Cipher.getInstance("DES/ECB/NoPadding");
Cipher c = Cipher.getInstance("DES/ECB/PKCS5Padding");
}
}
Requirements
- 148. Set minimum size of asymmetric encryption
- 149. Set minimum size of symmetric encryption
- 150. Set minimum size for hash functions
- 181. Transmit data using secure protocols
- 336. Disable insecure TLS versions
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.