Skip to content

Java: Add missing broken crypto algorithms #4833

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Dec 18, 2020
Merged

Java: Add missing broken crypto algorithms #4833

merged 3 commits into from
Dec 18, 2020

Conversation

luchua-bc
Copy link
Contributor

@luchua-bc luchua-bc commented Dec 16, 2020
edited
Loading

Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.

The ECB encryption mode is vulnerable to replay attacks and the CBC mode of operation with PKCS#5 (or PKCS#7) padding is vulnerable to padding oracle attacks. These two types of algorithms are widely treated as insecure/broken cryptographic algorithms in modern standards.

Some references are:

  1. Test cases for risky or broken cryptographic algorithm erroneously labeled as not vulnerable #92 - OWASP Test Cases
  2. codeql/csharp/ql/src/Security Features/Encryption using ECB.ql - C# Query for Encryption using ECB
  3. AES encryption algorithm should be used with secured mode - SonarSource Rule RSPEC-4432
  4. CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

This query adds these two categories to the list of insecure ciphers.

Please consider to merge this PR. Thanks.

@luchua-bc luchua-bc requested review from felicitymay and a team as code owners December 16, 2020 04:46
@luchua-bc luchua-bc mentioned this pull request Dec 16, 2020
Closed
1 task
smowton
smowton reviewed Dec 16, 2020
View reviewed changes
aschackmull
aschackmull previously approved these changes Dec 16, 2020
View reviewed changes
Copy link
Contributor

@aschackmull aschackmull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@smowton
Copy link
Contributor

smowton commented Dec 16, 2020

Looks like you got a real test failure in ql/java/ql/test/library-tests/Encryption/cryptoalgospec.ql

@aschackmull
Copy link
Contributor

Looks like there are actually 2 test failures:
ql/java/ql/test/library-tests/Encryption/cryptoalgospec.ql: Test failure (Expected output does not match)
ql/java/ql/test/library-tests/Encryption/secure.ql: Test failure (Expected output does not match)

@luchua-bc
Copy link
Contributor Author

Sorry I should have checked the other two test cases as well instead of insecure.ql only. I'm trying to exclude those two new patterns from the regex match in getASecureAlgorithmName() so that secure.ql can pass.

Please advise if there is a better approach to resolve this issue. Thanks.

@luchua-bc
Copy link
Contributor Author

I've removed those algorithms from the list of secure algorithms. Please review.

Thanks,
@luchua-bc

@aschackmull aschackmull merged commit 5106d5d into github:main Dec 18, 2020
@aschackmull aschackmull mentioned this pull request Dec 18, 2020
Open
@luchua-bc luchua-bc deleted the java-broken-crypto-algorithms branch December 18, 2020 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smowton smowton smowton left review comments

@aschackmull aschackmull aschackmull approved these changes

@felicitymay felicitymay Awaiting requested review from felicitymay

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@luchua-bc @smowton @aschackmull