hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-18 11:21:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10785 from jcogs33/insuff-key-size-globalflow-keysize

Browse Source 
Java: Promote insufficient key size query from experimental
This commit is contained in:
Jami
2022-11-08 18:05:01 -05:00
committed by GitHub
parent 53b7584a90 910eebcf5d
commit cfbaf5e53b
17 changed files with 681 additions and 326 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.qhelp Normal file
View File

@@ -0,0 +1,55 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Modern encryption relies on the computational infeasibility of breaking a cipher and decoding its
message without the key. As computational power increases, the ability to break ciphers grows, and key
sizes need to become larger as a result. Cryptographic algorithms that use too small of a key size are
vulnerable to brute force attacks, which can reveal sensitive data.</p>
</overview>
<recommendation>
<p>Use a key of the recommended size or larger. The key size should be at least 128 bits for AES encryption,
256 bits for elliptic-curve cryptography (ECC), and 2048 bits for RSA, DSA, or DH encryption.</p>
</recommendation>
<example>
<p>
The following code uses cryptographic algorithms with insufficient key sizes.
</p>
<sample src="InsufficientKeySizeBad.java" />
<p>
To fix the code, change the key sizes to be the recommended size or
larger for each algorithm.
</p>
</example>
<references>
<li>
Wikipedia:
<a href="http://en.wikipedia.org/wiki/Key_size">Key size</a>.
</li>
<li>
Wikipedia: <a href="https://en.wikipedia.org/wiki/Strong_cryptography">Strong cryptography</a>.
</li>
<li>
OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms">
Cryptographic Storage Cheat Sheet</a>.
</li>
<li>
OWASP: <a href="https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption">
Testing for Weak Encryption</a>.
</li>
<li>
NIST:
<a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf">
Transitioning the Use of Cryptographic Algorithms and Key Lengths</a>.
</li>
</references>
</qhelp>

22
java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql Normal file
View File

@@ -0,0 +1,22 @@
/**
* @name Use of a cryptographic algorithm with insufficient key size
* @description Using cryptographic algorithms with too small a key size can
* allow an attacker to compromise security.
* @kind path-problem
* @problem.severity warning
* @security-severity 7.5
* @precision high
* @id java/insufficient-key-size
* @tags security
* external/cwe/cwe-326
*/
import java
import semmle.code.java.security.InsufficientKeySizeQuery
import DataFlow::PathGraph
from DataFlow::PathNode source, DataFlow::PathNode sink, KeySizeConfiguration cfg
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"This $@ is less than the recommended key size of " + source.getState() + " bits.",
source.getNode(), "key size"

15
java/ql/src/Security/CWE/CWE-326/InsufficientKeySizeBad.java Normal file
View File

@@ -0,0 +1,15 @@
KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA");
keyPairGen1.initialize(1024); // BAD: Key size is less than 2048
KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DSA");
keyPairGen2.initialize(1024); // BAD: Key size is less than 2048
KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DH");
keyPairGen3.initialize(1024); // BAD: Key size is less than 2048
KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1"); // BAD: Key size is less than 256
keyPairGen4.initialize(ecSpec);
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(64); // BAD: Key size is less than 128