Use of a broken or weak cryptographic algorithm¶
Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted or forged by an attacker.
Many cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that encrypted or hashed data is less secure than it appears to be.
Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048 for encryption, and SHA-2 or SHA-3 for secure hashing.
The following code shows an example of using the builtin cryptographic library of NodeJS to encrypt some secret data. When creating a
Cipher instance to encrypt the secret data with, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.
const crypto = require('crypto'); var secretText = obj.getSecretText(); const desCipher = crypto.createCipher('des', key); let desEncrypted = desCipher.write(secretText, 'utf8', 'hex'); // BAD: weak encryption const aesCipher = crypto.createCipher('aes-128', key); let aesEncrypted = aesCipher.update(secretText, 'utf8', 'hex'); // GOOD: strong encryption
NIST, FIPS 140 Annex a: Approved Security Functions.
Common Weakness Enumeration: CWE-327.
Common Weakness Enumeration: CWE-328.