mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
Improve qhelp for broken crypto algo queries
Previously it focussed too much on the risk of data being decrypted, and didn't explain why using weak algorithms is a problem in other contexts.
This commit is contained in:
Owen Mansel-Chan
@@ -3,11 +3,15 @@
|
|||||||
"qhelp.dtd">
|
"qhelp.dtd">
|
||||||
<qhelp>
|
<qhelp>
|
||||||
<overview>
|
<overview>
|
||||||
<p>Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.</p>
|
<p>Using broken or weak cryptographic algorithms may compromise security guarantees such as confidentiality, integrity, and authenticity.</p>
|
||||||
|
|
||||||
<p>Many cryptographic algorithms provided by cryptography libraries are known to be weak, or
|
<p>Many cryptographic algorithms are known to be weak or flawed. The security guarantees of a system often rely on the underlying cryptography, so using a weak algorithm can have severe consequences. For example:
|
||||||
flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted
|
</p>
|
||||||
data.</p>
|
<ul>
|
||||||
|
<li>If a weak encryption algorithm is used, an attacker may be able to decrypt sensitive data.</li>
|
||||||
|
<li>If a weak hashing algorithm is used to protect data integrity, an attacker may be able to craft a malicious input that has the same hash as a benign one.</li>
|
||||||
|
<li>If a weak algorithm is used for digital signatures, an attacker may be able to forge signatures and impersonate legitimate users.</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
</overview>
|
</overview>
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -3,11 +3,15 @@
|
|||||||
"qhelp.dtd">
|
"qhelp.dtd">
|
||||||
<qhelp>
|
<qhelp>
|
||||||
<overview>
|
<overview>
|
||||||
<p>Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.</p>
|
<p>Using broken or weak cryptographic algorithms may compromise security guarantees such as confidentiality, integrity, and authenticity.</p>
|
||||||
|
|
||||||
<p>Many cryptographic algorithms provided by cryptography libraries are known to be weak, or
|
<p>Many cryptographic algorithms are known to be weak or flawed. The security guarantees of a system often rely on the underlying cryptography, so using a weak algorithm can have severe consequences. For example:
|
||||||
flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted
|
</p>
|
||||||
data.</p>
|
<ul>
|
||||||
|
<li>If a weak encryption algorithm is used, an attacker may be able to decrypt sensitive data.</li>
|
||||||
|
<li>If a weak hashing algorithm is used to protect data integrity, an attacker may be able to craft a malicious input that has the same hash as a benign one.</li>
|
||||||
|
<li>If a weak algorithm is used for digital signatures, an attacker may be able to forge signatures and impersonate legitimate users.</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
</overview>
|
</overview>
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|||||||
@@ -4,17 +4,34 @@
|
|||||||
<qhelp>
|
<qhelp>
|
||||||
<overview>
|
<overview>
|
||||||
<p>
|
<p>
|
||||||
Using broken or weak cryptographic algorithms can leave data
|
Using broken or weak cryptographic algorithms may compromise
|
||||||
vulnerable to being decrypted or forged by an attacker.
|
security guarantees such as confidentiality, integrity, and
|
||||||
|
authenticity.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
Many cryptographic algorithms provided by cryptography
|
Many cryptographic algorithms are known to be weak or flawed. The
|
||||||
libraries are known to be weak, or flawed. Using such an
|
security guarantees of a system often rely on the underlying
|
||||||
algorithm means that encrypted or hashed data is less
|
cryptography, so using a weak algorithm can have severe consequences.
|
||||||
secure than it appears to be.
|
For example:
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li>
|
||||||
|
If a weak encryption algorithm is used, an attacker may be able to
|
||||||
|
decrypt sensitive data.
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
If a weak hashing algorithm is used to protect data integrity, an
|
||||||
|
attacker may be able to craft a malicious input that has the same
|
||||||
|
hash as a benign one.
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
If a weak algorithm is used for digital signatures, an attacker may
|
||||||
|
be able to forge signatures and impersonate legitimate users.
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
</overview>
|
</overview>
|
||||||
<recommendation>
|
<recommendation>
|
||||||
|
|
||||||
|
|||||||
@@ -3,18 +3,36 @@
|
|||||||
"qhelp.dtd">
|
"qhelp.dtd">
|
||||||
<qhelp>
|
<qhelp>
|
||||||
<overview>
|
<overview>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
Using broken or weak cryptographic algorithms can leave data
|
Using broken or weak cryptographic algorithms may compromise
|
||||||
vulnerable to being decrypted or forged by an attacker.
|
security guarantees such as confidentiality, integrity, and
|
||||||
|
authenticity.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
Many cryptographic algorithms provided by cryptography
|
Many cryptographic algorithms are known to be weak or flawed. The
|
||||||
libraries are known to be weak, or flawed. Using such an
|
security guarantees of a system often rely on the underlying
|
||||||
algorithm means that encrypted or hashed data is less
|
cryptography, so using a weak algorithm can have severe consequences.
|
||||||
secure than it appears to be.
|
For example:
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li>
|
||||||
|
If a weak encryption algorithm is used, an attacker may be able to
|
||||||
|
decrypt sensitive data.
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
If a weak hashing algorithm is used to protect data integrity, an
|
||||||
|
attacker may be able to craft a malicious input that has the same
|
||||||
|
hash as a benign one.
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
If a weak algorithm is used for digital signatures, an attacker may
|
||||||
|
be able to forge signatures and impersonate legitimate users.
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
This query alerts on any use of a weak cryptographic algorithm that is
|
This query alerts on any use of a weak cryptographic algorithm that is
|
||||||
not a hashing algorithm. Use of broken or weak cryptographic hash
|
not a hashing algorithm. Use of broken or weak cryptographic hash
|
||||||
|
|||||||
@@ -4,15 +4,33 @@
|
|||||||
<qhelp>
|
<qhelp>
|
||||||
<overview>
|
<overview>
|
||||||
<p>
|
<p>
|
||||||
Using broken or weak cryptographic algorithms can leave data
|
Using broken or weak cryptographic algorithms may compromise
|
||||||
vulnerable to being decrypted or forged by an attacker.
|
security guarantees such as confidentiality, integrity, and
|
||||||
|
authenticity.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
Many cryptographic algorithms provided by cryptography
|
Many cryptographic algorithms are known to be weak or flawed. The
|
||||||
libraries are known to be weak, or flawed. Using such an
|
security guarantees of a system often rely on the underlying
|
||||||
algorithm means that encrypted or hashed data is less
|
cryptography, so using a weak algorithm can have severe consequences.
|
||||||
secure than it appears to be.
|
For example:
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li>
|
||||||
|
If a weak encryption algorithm is used, an attacker may be able to
|
||||||
|
decrypt sensitive data.
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
If a weak hashing algorithm is used to protect data integrity, an
|
||||||
|
attacker may be able to craft a malicious input that has the same
|
||||||
|
hash as a benign one.
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
If a weak algorithm is used for digital signatures, an attacker may
|
||||||
|
be able to forge signatures and impersonate legitimate users.
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
<p>
|
<p>
|
||||||
This query alerts on any use of a weak cryptographic algorithm that is
|
This query alerts on any use of a weak cryptographic algorithm that is
|
||||||
not a hashing algorithm. Use of broken or weak cryptographic hash
|
not a hashing algorithm. Use of broken or weak cryptographic hash
|
||||||
|
|||||||
@@ -3,17 +3,34 @@
|
|||||||
"qhelp.dtd">
|
"qhelp.dtd">
|
||||||
<qhelp>
|
<qhelp>
|
||||||
<overview>
|
<overview>
|
||||||
<p>
|
<p>
|
||||||
Using broken or weak cryptographic algorithms can leave data
|
Using broken or weak cryptographic algorithms may compromise
|
||||||
vulnerable to being decrypted or forged by an attacker.
|
security guarantees such as confidentiality, integrity, and
|
||||||
</p>
|
authenticity.
|
||||||
|
</p>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
Many cryptographic algorithms provided by cryptography
|
Many cryptographic algorithms are known to be weak or flawed. The
|
||||||
libraries are known to be weak, or flawed. Using such an
|
security guarantees of a system often rely on the underlying
|
||||||
algorithm means that encrypted or hashed data is less
|
cryptography, so using a weak algorithm can have severe consequences.
|
||||||
secure than it appears to be.
|
For example:
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li>
|
||||||
|
If a weak encryption algorithm is used, an attacker may be able to
|
||||||
|
decrypt sensitive data.
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
If a weak hashing algorithm is used to protect data integrity, an
|
||||||
|
attacker may be able to craft a malicious input that has the same
|
||||||
|
hash as a benign one.
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
If a weak algorithm is used for digital signatures, an attacker may
|
||||||
|
be able to forge signatures and impersonate legitimate users.
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
This query alerts on any use of a weak cryptographic algorithm that is
|
This query alerts on any use of a weak cryptographic algorithm that is
|
||||||
|
|||||||
Reference in New Issue
Block a user