CodeQL queries 1.25
Skip to end of metadata
Go to start of metadata

Name: Weak encryption

Description: Finds uses of encryption algorithms that are weak and obsolete

ID: cs/weak-encryption

Kind: problem

Severity: warning

Precision: high

Query: WeakEncryption.ql
/**
 * @name Weak encryption
 * @description Finds uses of encryption algorithms that are weak and obsolete
 * @kind problem
 * @problem.severity warning
 * @precision high
 * @id cs/weak-encryption
 * @tags security
 *       external/cwe/cwe-327
 */

import csharp

predicate incorrectUseOfDES(ObjectCreation e, string msg) {
  e.getType().(Class).hasQualifiedName("System.Security.Cryptography", "DESCryptoServiceProvider") and
  msg =
    "DES encryption uses keys of 56 bits only. Switch to AesCryptoServiceProvider or RijndaelManaged instead."
}

predicate incorrectUseOfTripleDES(ObjectCreation e, string msg) {
  e
      .getType()
      .(Class)
      .hasQualifiedName("System.Security.Cryptography", "TripleDESCryptoServiceProvider") and
  msg =
    "TripleDES encryption provides at most 112 bits of security. Switch to AesCryptoServiceProvider or RijndaelManaged instead."
}

from Expr e, string msg
where
  incorrectUseOfDES(e, msg) or
  incorrectUseOfTripleDES(e, msg)
select e, msg

Weak encryption algorithms provide very little security. For example DES encryption uses keys of 56 bits only, and no longer provides sufficient protection for sensitive data. TripleDES should also be deprecated for very sensitive data: Although it improves on DES by using 168-bit long keys, it provides in fact at most 112 bits of security.

Recommendation

You should switch to a more secure encryption algorithm, such as AES (Advanced Encryption Standard) and use a key length which is reasonable for the application for which it is being used.

Example

This example uses DES, which is limited to a 56-bit key. The key provided is actually 64 bits but the last bit of each byte is turned into a parity bit. For example the bytes 01010101 and 01010100 can be used in place of each other when encrypting and decrypting.

class WeakEncryption
{
    public static byte[] encryptString()
    {
        SymmetricAlgorithm serviceProvider = new DESCryptoServiceProvider();
        byte[] key = { 16, 22, 240, 11, 18, 150, 192, 21 };
        serviceProvider.Key = key;
        ICryptoTransform encryptor = serviceProvider.CreateEncryptor();

        String message = "Hello World";
        byte[] messageB = System.Text.Encoding.ASCII.GetBytes(message);
        return encryptor.TransformFinalBlock(messageB, 0, messageB.Length);
    }
}

References