Broken or risky cryptographic algorithm

OWASP category: MASVS-CRYPTO: Cryptography

Overview

Despite the widespread use of cryptography to protect data confidentiality and integrity, a significant risk arises when developers inadvertently implement weak or outdated cryptographic algorithms. This vulnerability stems from the inherent weaknesses in these algorithms, which can be exploited by malicious actors possessing the necessary computational power or knowledge. The consequences of such exploitation can be severe, potentially leading to unauthorized access, data breaches, and manipulation of sensitive information.

Impact

Sensitive data can be exposed, modified, or forged. Broken or risky cryptographic algorithms might lead to vulnerabilities and can be abused to decrypt sensitive information, tamper with data, or impersonate legitimate entities. The impact of exploiting such vulnerabilities can range from data breaches and financial losses to reputational damage and loss of user trust.

Risk: Weak or broken cryptographic hash functions

The use of weak or broken cryptographic hash functions (such as MD5 or SHA1) poses a significant risk to the security and integrity of data. Hash functions are designed to create unique, fixed-length fingerprints (hashes) of input data, making them useful for various purposes, including data integrity verification, password storage, and digital signatures. However, when weak or compromised hash functions are employed, several vulnerabilities can arise:

• Collision Attacks: Weak hash functions are susceptible to collision attacks, where an attacker finds two different inputs that produce the same hash value. This can allow them to substitute malicious data for legitimate data without detection, compromising data integrity.
• Data Breaches: If passwords are hashed with a weak algorithm, a successful breach of a system could lead to the exposure of user credentials. Attackers could then use rainbow tables or other techniques to crack the passwords, gaining unauthorized access to accounts.
• Repudiation of Digital Signatures: Weak hash functions used in digital signatures can be exploited to create forged signatures, making it difficult to determine the authenticity and integrity of documents or messages.

Mitigations

To mitigate these risks, it is crucial to use strong, well-vetted cryptographic hash functions like SHA-2 or SHA-3, and to keep them updated as new vulnerabilities are discovered. Additionally, adopting security practices such as salting passwords and using password-specific hashing algorithms like bcrypt or Argon2 can further enhance data protection.

---

Risk: Weak or broken cryptographic encryption functions

The use of weak or broken cryptographic encryption functions (such as DES or RC4) poses severe risks to the confidentiality of sensitive data. Encryption is designed to protect information by transforming it into an unreadable format, but if the encryption algorithm is flawed, these protections can be bypassed:

• Data Breaches: Weak encryption algorithms are susceptible to various attacks, including brute-force attacks, known-plaintext attacks, and cryptanalysis techniques. If successful, these attacks can expose encrypted data, allowing unauthorized access to sensitive information such as personal details, financial records, or confidential business data.
• Data Manipulation and Tampering: Even if an attacker cannot fully decrypt the data, they may still be able to manipulate it without detection if the encryption algorithm is weak. This can lead to unauthorized modifications of data, potentially resulting in fraud, misrepresentation, or other malicious activities.

Mitigations

Use strong cryptographic algorithms in encryption functions

To mitigate these risks, it is crucial to use strong, well-vetted cryptographic algorithms and follow best practices for key management and encryption implementation. Regularly updating encryption algorithms and staying informed about emerging threats is also essential to maintain robust data security.

Some recommended default algorithms to use:

• Symmetric encryption:
  • AES-128/AES-256 with GCM mode
  • Chacha20
• Asymmetric encryption:
  • RSA-2048/RSA-4096 with OAEP padding

Use secure primitives from a cryptography library to reduce common pitfalls

While selecting an appropriate encryption algorithm is crucial, to truly minimize security vulnerabilities, consider using a cryptography library that offers a streamlined API and emphasizes secure default configurations. This approach not only strengthens the security of your applications but also significantly reduces the likelihood of introducing vulnerabilities through coding errors. For example, Tink simplifies encryption choices by offering two distinct options: AEAD and Hybrid encryption, making it easier for developers to make informed security decisions.

---

Risk: Weak or broken cryptographic signature functions

The use of weak or broken cryptographic signature functions (such as RSA-PKCS#1 v1.5, or the ones based on weak hash functions) poses severe risks to the integrity of data and communication. Digital signatures are designed to provide authentication, non-repudiation, and data integrity, ensuring that a message or document originates from a specific sender and has not been tampered with. However, when the underlying signature algorithm is flawed, these assurances can be compromised:

• Forging signatures: Weak signature algorithms can be vulnerable to attacks that allow malicious actors to create forged signatures. This means they can impersonate legitimate entities, fabricate documents, or tamper with messages without detection.
• Repudiation of signatures: If a signature algorithm is broken, a signer may be able to falsely claim that they did not sign a document, undermining the principle of non-repudiation and creating legal and logistical challenges.
• Data manipulation and tampering: In scenarios where signatures are used to protect the integrity of data, a weak algorithm could allow attackers to modify the data without invalidating the signature, leading to undetected tampering and potential compromise of critical information.

Mitigations

Use strong cryptographic signature algorithms

To mitigate these risks, it is crucial to use strong, well-vetted cryptographic signature algorithms:

• RSA-2048/RSA-4096 with PSS padding
• Elliptic Curve Digital Signature Algorithm (ECDSA) with secure curves

Use secure primitives from a cryptography library to reduce common pitfalls

Choosing the right signature algorithm is essential, but to truly minimize security vulnerabilities, consider a cryptography library that provides robust security assurances by default. Tink, for example, simplifies signature choices by offering ECDSA with secure curves as its default option, all within a straightforward and comprehensive API. This approach not only enhances security but also streamlines development by eliminating the need for complex configuration or decision-making.

---

Resources

• Tink cryptography library
• Android App quality: Cryptography
• Digital Signature with Tink
• Hybrid Encryption with Tink
• Authenticated Encryption with Tink
• Weak or broken cryptographic hash and encryption functions Android security lint
• CWE-327: Use of a Broken or Risky Cryptographic Algorithm
• CWE-328: Use of Weak Hash
• CWE-780: Use of RSA Algorithm without OAEP
• NIST page about Approved Hash Functions
• Advanced Encryption Standard (Wikipedia)
• Secure Hash Algorithm 2 (Wikipedia)
• Secure Hash Algorithm 3 (Wikipedia)
• RSA cryptosystem (Wikipedia)
• Elliptic Curve Digital Signature Algorithm (Wikipedia)
• Stream cipher ChaCha (Wikipedia)
• Salting password (Wikipedia)
• Hybrid cryptosystem (Wikipedia)
• Authenticated encryption