RCA

Risky cryptographic algorithm used

If a program processes sensitive data or protects a communication channel, you may use cryptography to prevent attackers from reading it. There are several obsolete cryptographic algorithms that have proven weaknesses against attack.

The RCA checker detects the use of a specific set of known broken or risky cryptographic algorithm.

Vulnerability and risk

If a program uses broken or risky algorithms in data processing, it could lead to security weaknesses within the program. CWE-327 and NIST Special Publication 800-131A Revision 1 list the following algorithms as broken or risky for use: CBC-MAC, DES, DES-X, Two-key Triple DES, MD2, MD4, MD5, RC2, RNG in ANSI X9.31, SHA-0, SHA-1, SKIPJACK. These algorithms can still be supported in cryptographic libraries, though they are not recommended for use.

Mitigation and prevention

Consider replacing the reported weak algorithm with a stronger one. For example, SHA-256 or SHA-512 can replace SHA-1 or MD5, AES can replace DES, and so on.

Example 1

A function call uses risky algorithm (or initializes an object that represents it).

1 #include <openssl/md5.h>
2
3 void  foo( const  unsigned  char  *msg, unsigned  int  len) {
4     unsigned  char  md5digest[MD5_DIGEST_LENGTH];    
5     MD5(msg, len, md5digest);   //  <== RCA reported
6     // . . . . .
7 }

Example 2

A constant C-string literal that identifies a risky algorithm is passed to a function that will perform it or initialize an object instance that represents it.

1 #include <Bcrypt.h> 
2
3 void  demo()
4 { 
5    NTSTATUS status;    
6    BCRYPT_ALG_HANDLE hAlg;    
7    status = BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_MD4_ALGORITHM, 0, 0); //  <== RCA reported 
8    // use(hAlg)
9 }                     

Example 3

An instance of a class that represents a risky algorithm is created.

1 #include <cryptopp/sha.h>
2
3 using namespace  CryptoPP; 
4 void  bar() {    
5     SHA1 *hashfunc =  new  SHA1();   //  <== RCA reported 
6     // use(hashfunc)
7 }    

Example 4

A custom class is inherited from a class that represents a risky algorithm.

1 #include <cryptopp/sha.h>  
2 
3 class  MyAlgo :  public  CryptoPP::SHA1 {   //  <== RCA reported 
4      // . . . . .
5 }; 

Related checkers

• CS.RCA
• HCC
• RCA.HASH.SALT.EMPTY
• SV.WEAK.CRYPT
• SV.WEAK_CRYPTO.WEAK_HASH

External guidance

Overview and approval statuses for cryptographic algorithms:

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

• NIST.SP.800-131Ar1: NIST Special Publication 800-131A Revision 1. Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths (November, 2015)

Reports and articles about compromised cryptographic algorithms:

• DES: COPACOBANA: A Codebreaker for DES and other Ciphers

• DES: SciEngines. Break DES in less than a single day

• DES, RC2: J. Kesley, B. Schneider, D. Wanger. Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA

• Dual_EC_DRBG: Matthew Green. The Many Flaws of Dual_EC_DRBG.

• Dual_EC_DRBG: Kristian Gjøsteen. Comments on Dual-EC-DRBG/NIST SP 800-90

• MD2: Søren S. Thomsen. An improved preimage attack on MD2

• MD4: Hans Dobbertin. Cryptanalysis of MD4

• MD5: M.M.J Stevens. On collision for MD5

• MD5: J. Black, M. Cochran, T. Highland. A study of the MD5 attacks: insights and improvements

• SHA-1: M. Stevens, P. Karman, T. Peyrin. Freestart collision for full SHA-1

• SHA-1: C. McDonald, P. Hawkes, J. Pieprzyk. Differential path for SHA-1 with complexity O(2^52)

• SKIPJACK: Bruce Schneier. Declassifying Skipjack, July 15, 1998