CodeQL documentation

Hard-coded cryptographic value

ID: rust/hard-coded-cryptographic-value
Kind: path-problem
Security severity: 9.8
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-259
   - external/cwe/cwe-321
   - external/cwe/cwe-798
   - external/cwe/cwe-1204
Query suites:
   - rust-code-scanning.qls
   - rust-security-extended.qls
   - rust-security-and-quality.qls

Click to see the query in the CodeQL repository

Hard-coded passwords, keys, initialization vectors, and salts should not be used for cryptographic operations.

  • Attackers can easily recover hard-coded values if they have access to the source code or compiled executable.

  • Some hard-coded values are easily guessable.

  • Use of hard-coded values may leave cryptographic operations vulnerable to dictionary attacks, rainbow tables, and other forms of cryptanalysis.

Recommendation

Use randomly generated key material, initialization vectors, and salts. Use strong passwords that are not hard-coded.

Example

The following example shows instantiating a cipher with hard-coded key material, making the encrypted data vulnerable to recovery.

let key: [u8;32] = [0;32]; // BAD: Using hard-coded keys for encryption
let cipher = Aes256Gcm::new(&key.into());

In the fixed code below, the key material is randomly generated and not hard-coded, which protects the encrypted data against recovery. A real application would also need a strategy for secure key management after the key has been generated.

let key = Aes256Gcm::generate_key(aes_gcm::aead::OsRng); // GOOD: Using randomly generated keys for encryption
let cipher = Aes256Gcm::new(&key);

References

  • © GitHub, Inc.
  • Terms
  • Privacy