Insecure Use of Cryptography

Why is this important?

Cryptography is hard. And when it is used in an application, it's usually to make sure user data is secure in transit and at rest. Cryptographic libraries are not always easy to use and can even contain insecurities. They often require the Developer to have a good understanding of the primitives available and expect the Developer to make the right choices. A great cryptographic library has minimal knobs and dials and uses the best cryptographic primitives by default thus freeing the Developer from having to understand the primitives and make the right decisions.

Check out this video for a high-level explanation:

Fixing Insecure Use of Cryptography

Option A: Use Strong RSA Key Size

1. Go through the issues that GuardRails identified in the PR

2. Identify the code that uses any of these imports:

   • Crypto.Cipher
   • Crypto.Hash
   • Crypto.IO
   • Crypto.Protocol
   • Crypto.PublicKey
   • Crypto.Random
   • Crypto.Signature
   • Crypto.Utilrsa.GenerateKey

   Such as the example below:

   from Crypto.PublicKey import DSA
   ...
   DSA.generate_private_key(512, backends.default_backend())

   and replace it with the according library from Pyca/Cryptography

   from cryptography.hazmat.primitives.asymmetric import dsa
   # And make sure the key size is at least 2048
   private_key = dsa.generate_private_key(key_size=2048, backend=default_backend())

3. Test it

4. Ship it 🚢 and relax 🌴

More information:

• OWASP Top 10 - A02 Cryptographic Failures
• Cryptographic Storage Cheat Sheet
• Common Weakness Enumeration (CWE-326)
• Bandit B413 - import_pycrypto
• Pyca/Cryptography
• Google Tink Library