hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-21 06:55:31 +02:00
Code Issues Packages Projects Releases Wiki Activity

Rust: Tweak .qhelp layout.

Browse Source
This commit is contained in:
Geoffrey White
2025-01-10 12:48:53 +00:00
parent bb4322cf7c
commit 39a38c4c53
1 changed files with 32 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.qhelp
View File

@@ -4,31 +4,31 @@
<qhelp>
<overview>
<p>
Using a broken or weak cryptographic hash function can leave data
A broken or weak cryptographic hash function can leave data
vulnerable, and should not be used in security related code.
</p>
<p>
A strong cryptographic hash function should be resistant to:
<ul>
<li>
<b>Pre-image attacks</b>. If you know a hash value <code>h(x)</code>,
you should not be able to easily find the input <code>x</code>.
</li>
<li>
<b>Collision attacks</b>. If you know a hash value <code>h(x)</code>,
you should not be able to easily find a different input
<code>y</code>
with the same hash value <code>h(x) = h(y)</code>.
</li>
<li>
<b>Brute force</b>. For passwords and other data with limited
input space, if you know a hash value <code>h(x)</code>
you should not be able to find the input <code>x</code> even using
a brute force attack (without significant computational effort).
</li>
</ul>
</p>
<ul>
<li>
<b>Pre-image attacks</b>. If you know a hash value <code>h(x)</code>,
you should not be able to easily find the input <code>x</code>.
</li>
<li>
<b>Collision attacks</b>. If you know a hash value <code>h(x)</code>,
you should not be able to easily find a different input
<code>y</code>
with the same hash value <code>h(x) = h(y)</code>.
</li>
<li>
<b>Brute force</b>. For passwords and other data with limited
input space, if you know a hash value <code>h(x)</code>
you should not be able to find the input <code>x</code> even using
a brute force attack (without significant computational effort).
</li>
</ul>
<p>
As an example, both MD5 and SHA-1 are known to be vulnerable to collision attacks.
@@ -51,18 +51,17 @@
<p>
Ensure that you use a strong, modern cryptographic hash function, such as:
<ul>
<li>
Argon2, scrypt, bcrypt, or PBKDF2 for passwords and other data with limited input space where
a dictionary-like attack is feasible.
</li>
<li>
SHA-2, or SHA-3 in other cases.
</li>
</ul>
</p>
<ul>
<li>
Argon2, scrypt, bcrypt, or PBKDF2 for passwords and other data with limited input space where
a dictionary-like attack is feasible.
</li>
<li>
SHA-2, or SHA-3 in other cases.
</li>
</ul>
<p>
Note that special purpose algorithms, which are used to ensure that a message comes from a
particular sender, exist for message authentication. These algorithms should be used when
@@ -95,6 +94,8 @@
<a href="https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html">
Transport Layer Security Cheat Sheet
</a>
</li>
<li>
GitHub:
<a href="https://github.com/RustCrypto/hashes?tab=readme-ov-file#rustcrypto-hashes">
RustCrypto: Hashes
@@ -103,11 +104,12 @@
<a href="https://github.com/RustCrypto/password-hashes?tab=readme-ov-file#rustcrypto-password-hashes">
RustCrypto: Password Hashes
</a>
</li>
<li>
The RustCrypto Book:
<a href="https://rustcrypto.org/key-derivation/hashing-password.html">
Password Hashing
</a>
</li>
</references>