Sensitive data encrypted with a weak encryption library detected.

• Rule ID: ruby_lang_weak_encryption_with_data
• Languages: ruby
• Source: weak_encryption_with_data.yml

Description

A weak encryption or hashing library can lead to data breaches and greater security risk. This rule checks if weak encryption techniques are used on sensitive data.

Remediations

According to OWASP: MD5, RC4, DES, Blowfish, SHA1. 1024-bit RSA or DSA, 160-bit ECDSA (elliptic curves), 80/112-bit 2TDEA (two key triple DES) are considered as weak hash/encryption algorithms and therefor shouldn't be used.

❌ Avoid libraries and algorithms with known weaknesses:

Digest::SHA1.hexdigest 'weak password encryption'
Crypt::Blowfish.new("weak password encryption")
RC4.new("weak password encryption")
OpenSSL::PKey::RSA.new 1024
OpenSSL::PKey::DSA.new 1024
Digest::MD5.hexdigest 'unsecure string'

✅ Instead, we recommend using bcrypt:

BCrypt::Password.create('iLOVEdogs123')

Resources

• BCrypt Explained

Associated CWE

• CWE-326: Inadequate Encryption Strength
• CWE-331: Insufficient Entropy

OWASP Top 10

• A02:2021 - Cryptographic Failures