Shulou(Shulou.com)05/31 Report--

This article analyzes "how to avoid weak encryption in C language". The content is detailed and easy to understand. Friends who are interested in "how to avoid weak encryption in C language" can follow the editor's train of thought to read it slowly and deeply. I hope it will be helpful to everyone after reading. Let's learn more about "how to avoid weak encryption in C language" with the editor.

1. Weak encryption

Encryption refers to changing the original information data with a special algorithm, so that even if unauthorized users get the encrypted information, they are still unable to understand the content of the information because they do not know the method of decryption. Common encryption algorithms can be divided into symmetric encryption, asymmetric encryption and one-way encryption. The use scenarios of all kinds of encryption algorithms are different. According to the characteristics of encryption algorithms, such as operation speed, security and key management, the appropriate algorithm is selected, but security is an important index to measure the quality of encryption algorithms. The encryption algorithm that is easy to be cracked is called weak encryption algorithm. For example, exhaustive method can be used to crack DES algorithm in a limited time. This article takes the source code of JAVA language as an example to analyze the causes and repair methods of weak encryption.

2. The harm of weak encryption

For the encryption algorithm with weak anti-attack, once used, it will cause personal privacy information leakage and even property loss. From January 2018 to April 2019, there were two pieces of vulnerability information related to CVE. The vulnerability information is as follows:

Overview of CVE vulnerabilities weak encryption is used when transmitting passwords in CVE-2018-9028CA Privileged AccessManager 2.x, which reduces the complexity of password cracking. CVE-2018-6619 makes it easier for attackers to crack database passwords by using salt-free weak encryption algorithms in Easy Hosting Control Panel (EHCP) v0.37.12.b.

3. Sample code

The following sample code is derived from Benchmark (https://www.owasp.org/index.php/Benchmark), source file name: BenchmarkTest00019.java.

3.1 defect code

The above sample code action is to read the contents of the request and encrypt it, and get the instance benchmarkprops of the read configuration file on line 49. Load the configuration file on line 50 and read the property cryptoAlg1 in the configuration file on lines 52-53. Without this attribute, DESede/ECB/PKCS5Padding is used by default to assign values to algorithm. Line 54 will use algorithm as the encryption algorithm to construct the encryption object c. Next, prepare the encrypted password. Lines 57-58 instantiate a key generator for the DES encryption algorithm. Line 59 specifies that the mode of operation of the encrypted object c is encryption, where key is the key. Lines 62-76 convert the input stream in the request into a byte array input, encrypt the input at line 77, and the result is the byte array result. Among them, the key generated by DES algorithm is short, only 56 bits, and the operation speed is slow, and DES algorithm completely depends on the key, so it is vulnerable to exhaustive search attack.

By using the code guard to detect the above sample code, you can detect a "weak encryption" defect with a display level of medium. A defect is reported on line 57 of the code, as shown in figure 1:

Figure 1: detection example of weak encryption

3.2 fix the code

In the above repair code, line 58 uses the AES algorithm instead of the DES algorithm. AES can generate keys with a minimum of 128bits and a maximum of 256bits with fast operation speed and low memory consumption.

Using the code guard to detect the repaired code, you can see that there is no "weak encryption" defect. Figure 2:

Figure 2: detection results after repair 4. How to avoid weak encryption

In systems with high security requirements, it is recommended to use secure encryption algorithms (such as AES, RSA) to encrypt sensitive data.

On how to avoid weak encryption in the C language to share here, I hope that the above content can make you improve. If you want to learn more knowledge, please pay more attention to the editor's updates. Thank you for following the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.