Use of a broken or weak cryptographic algorithm — CodeQL query help documentation CodeQL docs

CodeQL resources

Use of a broken or weak cryptographic algorithm¶

ID: go/weak-cryptographic-algorithm
Kind: problem
Security severity: 7.5
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-327
   - external/cwe/cwe-328
Query suites:
   - go-code-scanning.qls
   - go-security-extended.qls
   - go-security-and-quality.qls

Click to see the query in the CodeQL repository

Using weak cryptographic algorithms can leave data vulnerable to being decrypted or forged by an attacker.

Many cryptographic algorithms provided by cryptography libraries are known to be weak. Using such an algorithm means that encrypted or hashed data is less secure than it appears to be.

Recommendation¶

Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048 for encryption, and SHA-2 or SHA-3 for secure hashing.

Example¶

The following code uses the different packages to encrypt some secret data. The first example uses DES, which is an older algorithm that is now considered weak. The following example uses AES, which is a stronger, more modern algorithm.

package main

import (
	"crypto/aes"
	"crypto/des"
)

func EncryptMessageWeak(key []byte, message []byte) (dst []byte) {
	// BAD, DES is a weak crypto algorithm
	block, _ := des.NewCipher(key)
	block.Encrypt(dst, message)
	return
}

func EncryptMessageStrong(key []byte, message []byte) (dst []byte) {
	// GOOD, AES is a strong crypto algorithm
	block, _ := aes.NewCipher(key)
	block.Encrypt(dst, message)
	return
}

References¶

OWASP: Cryptographic Storage Cheat Sheet.
Wikipedia: Cryptographically Strong Algorithms.
Wikipedia: Strong Cryptography Examples.
NIST, FIPS 140 Annex a: Approved Security Functions.
NIST, SP 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.
Common Weakness Enumeration: CWE-327.
Common Weakness Enumeration: CWE-328.

© GitHub, Inc.
Terms
Privacy