• CodeQL query help documentation »
• CodeQL query help for JavaScript and TypeScript »

Use of a broken or weak cryptographic algorithm

ID: js/weak-cryptographic-algorithm
Kind: path-problem
Security severity: 7.5
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-327
   - external/cwe/cwe-328
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Using broken or weak cryptographic algorithms may compromise security guarantees such as confidentiality, integrity, and authenticity.

Many cryptographic algorithms are known to be weak or flawed. The security guarantees of a system often rely on the underlying cryptography, so using a weak algorithm can have severe consequences. For example:

• If a weak encryption algorithm is used, an attacker may be able to decrypt sensitive data.

• If a weak hashing algorithm is used to protect data integrity, an attacker may be able to craft a malicious input that has the same hash as a benign one.

• If a weak algorithm is used for digital signatures, an attacker may be able to forge signatures and impersonate legitimate users.

Recommendation

Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048 for encryption, and SHA-2 or SHA-3 for secure hashing.

Example

The following code shows an example of using the builtin cryptographic library of NodeJS to encrypt some secret data. When creating a Cipher instance to encrypt the secret data with, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.

const crypto = require('crypto');

var secretText = obj.getSecretText();

const desCipher = crypto.createCipher('des', key);
let desEncrypted = desCipher.write(secretText, 'utf8', 'hex'); // BAD: weak encryption

const aesCipher = crypto.createCipher('aes-128', key);
let aesEncrypted = aesCipher.update(secretText, 'utf8', 'hex'); // GOOD: strong encryption

References

• NIST, FIPS 140 Annex a: Approved Security Functions.

• NIST, SP 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.

• OWASP: Rule - Use strong approved cryptographic algorithms.

• Common Weakness Enumeration: CWE-327.

• Common Weakness Enumeration: CWE-328.

• © GitHub, Inc.
• Terms
• Privacy