Click to see the query in the CodeQL repository
Using broken or weak cryptographic algorithms may compromise security guarantees such as confidentiality, integrity, and authenticity.
Many cryptographic algorithms are known to be weak or flawed. The security guarantees of a system often rely on the underlying cryptography, so using a weak algorithm can have severe consequences. For example:
If a weak encryption algorithm is used, an attacker may be able to decrypt sensitive data.
If a weak algorithm is used for digital signatures, an attacker may be able to forge signatures and impersonate legitimate users. This query alerts on any use of a weak cryptographic algorithm that is not a hashing algorithm. Use of broken or weak cryptographic hash functions are handled by the rust/weak-sensitive-data-hashing query.
Ensure that you use a strong, modern cryptographic algorithm, such as AES-128 or RSA-2048.
The following code uses the des crate from the RustCrypto family to encrypt some secret data. The DES algorithm is old and considered very weak.
Instead, we should use a strong modern algorithm. In this case, we have selected the 256-bit version of the AES algorithm.
NIST, FIPS 140 Annex A: Approved Security Functions.
NIST, SP 800-131A Revision 2: Transitioning the Use of Cryptographic Algorithms and Key Lengths.
Common Weakness Enumeration: CWE-327.