Weak cipher algorithm

Encryption algorithm associated with the cipher context is weak

expand all in page

Description

This defect occurs when you associate a weak encryption algorithm with the cipher context.

Risk

Some encryption algorithms have known flaws. Though the OpenSSL library still supports the algorithms, you must avoid using them.

If your cipher algorithm is weak, an attacker can decrypt your data by exploiting a known flaw or brute force attacks.

Fix

Use algorithms that are well-studied and widely acknowledged as secure.

For instance, the Advanced Encryption Standard (AES) is a widely accepted cipher algorithm.

Examples

expand all


#include <openssl/evp.h>
#include <stdlib.h>

void func(unsigned char *key, unsigned char *iv) {
    EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
    EVP_CIPHER_CTX_init(ctx);
    const EVP_CIPHER * ciph = EVP_des_cbc();        
    EVP_EncryptInit_ex(ctx, ciph, NULL, key, iv);   
}

In this example, the routine EVP_des_cbc() invokes the Data Encryption Standard (DES) algorithm, which is now considered as non-secure and relatively slow.

Correction — Use AES Algorithm

One possible correction is to use the faster and more secure Advanced Encryption Standard (AES) algorithm instead.


#include <openssl/evp.h>
#include <stdlib.h>

void func(unsigned char *key, unsigned char *iv) {
    EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
    EVP_CIPHER_CTX_init(ctx);
    const EVP_CIPHER * ciph = EVP_aes_128_cbc();        
    EVP_EncryptInit_ex(ctx, ciph, NULL, key, iv);   
}

Result Information

Group: Cryptography
Language: C | C++
Default: Off
Command-Line Syntax: CRYPTO_CIPHER_WEAK_CIPHER
Impact: Medium
CWE ID: 310, 326, 327

See Also

Topics

Introduced in R2017a

Polyspace Bug Finder Documentation

Support