Weak encryption library usage detected.

• Rule ID: ruby_lang_weak_encryption
• Languages: ruby
• Source: weak_encryption.yml

Description

A weak encryption or hashing library can lead to data breaches and greater security risk. This rule checks for the use of weak encryption and hashing libraries or algorithms.

Remediations

According to OWASP: MD5, RC4, DES, Blowfish, SHA1. 1024-bit RSA or DSA, 160-bit ECDSA (elliptic curves), 80/112-bit 2TDEA (two key triple DES) are considered as weak hash/encryption algorithms and therefor shouldn't be used.

❌ Avoid libraries and algorithms with known weaknesses:

Digest::SHA1.hexdigest 'weak password encryption'
Crypt::Blowfish.new("weak password encryption")
RC4.new("weak password encryption")
OpenSSL::PKey::RSA.new 1024
OpenSSL::PKey::DSA.new 1024
Digest::MD5.hexdigest 'unsecure string'

✅ Instead, we recommend using bcrypt:

BCrypt::Password.create('iLOVEdogs123')

Resources

• BCrypt Explained

Associated CWE

• CWE-331: Insufficient Entropy
• CWE-326: Inadequate Encryption Strength

OWASP Top 10

• A02:2021 - Cryptographic Failures