Merge pull request #4255 from fatenhealy/IncreaseInsufficientKeySizeValue

tamasvajk · web-flow · commit 5ab5e75b8549 · 2020-09-22T23:06:12.000+02:00
Increase insufficient key size value from 1024 to 2048
diff --git a/change-notes/1.26/analysis-csharp.md b/change-notes/1.26/analysis-csharp.md
@@ -12,7 +12,7 @@ The following changes in version 1.26 affect C# analysis in all applications.
 
 | **Query**                    | **Expected impact**    | **Change**                        |
 |------------------------------|------------------------|-----------------------------------|
-
+| Weak encryption: Insufficient key size (`cs/insufficient-key-size`) | More results | The required key size has been increased from 1024 to 2048. |
 
 ## Removal of old queries
 
diff --git a/csharp/ql/src/Security Features/InsufficientKeySize.cs b/csharp/ql/src/Security Features/InsufficientKeySize.cs
@@ -11,7 +11,7 @@ static public byte[] EncryptWithRSA(byte[] plaintext, RSAParameters key)
         {
             try
             {
-                RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(512); // BAD
+                RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(1024); // BAD
                 rsa.ImportParameters(key);
                 return rsa.Encrypt(plaintext, true);
             }
@@ -27,7 +27,7 @@ static public byte[] EncryptWithRSA2(byte[] plaintext, RSAParameters key)
             try
             {
                 RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(); // BAD
-                rsa = new RSACryptoServiceProvider(1024); // GOOD
+                rsa = new RSACryptoServiceProvider(2048); // GOOD
                 rsa.ImportParameters(key);
                 return rsa.Encrypt(plaintext, true);
             }
@@ -58,7 +58,7 @@ static public byte[] EncryptWithDSA2(byte[] plaintext, DSAParameters key)
             try
             {
                 DSACryptoServiceProvider dsa = new DSACryptoServiceProvider(); // BAD
-                dsa = new DSACryptoServiceProvider(1024); // GOOD
+                dsa = new DSACryptoServiceProvider(2048); // GOOD
                 dsa.ImportParameters(key);
                 return dsa.SignData(plaintext);
             }
@@ -121,7 +121,7 @@ public static byte[] DSASignHash(byte[] HashToSign, DSAParameters DSAKeyInfo,
             try
             {
                 // Create a new instance of DSACryptoServiceProvider.
-                using (DSACryptoServiceProvider DSA = new DSACryptoServiceProvider(1024)) // GOOD
+                using (DSACryptoServiceProvider DSA = new DSACryptoServiceProvider(2048)) // GOOD
                 {
                     // Import the key information.
                     DSA.ImportParameters(DSAKeyInfo);
diff --git a/csharp/ql/src/Security Features/InsufficientKeySize.qhelp b/csharp/ql/src/Security Features/InsufficientKeySize.qhelp
@@ -8,7 +8,7 @@ are vulnerable to brute force attack when too small a key size is used.</p>
 
 </overview>
 <recommendation>
-<p>The key should be at least 1024-bit long when using RSA encryption, and 128-bit long when using 
+<p>The key should be at least 2048-bit long when using RSA encryption, and 128-bit long when using 
 symmetric encryption.</p>
 
 </recommendation>
diff --git a/csharp/ql/src/Security Features/InsufficientKeySize.ql b/csharp/ql/src/Security Features/InsufficientKeySize.ql
@@ -29,17 +29,17 @@ predicate incorrectUseOfDSA(ObjectCreation e, string msg) {
       .getTarget()
       .getDeclaringType()
       .hasQualifiedName("System.Security.Cryptography", "DSACryptoServiceProvider") and
-  exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 1024) and
-  msg = "Key size should be at least 1024 bits for DSA encryption."
+  exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 2048) and
+  msg = "Key size should be at least 2048 bits for DSA encryption."
 }
 
 predicate incorrectUseOfRSA(ObjectCreation e, string msg) {
   e
       .getTarget()
       .getDeclaringType()
       .hasQualifiedName("System.Security.Cryptography", "RSACryptoServiceProvider") and
-  exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 1024) and
-  msg = "Key size should be at least 1024 bits for RSA encryption."
+  exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 2048) and
+  msg = "Key size should be at least 2048 bits for RSA encryption."
 }
 
 from Expr e, string msg
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.cs b/csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.cs
@@ -13,18 +13,18 @@ public void CryptoMethod()
         // GOOD: Key size is greater than 128
         new RC2CryptoServiceProvider().EffectiveKeySize = 256;
 
-        // BAD: Key size is less than 1024.
+        // BAD: Key size is less than 2048.
         DSACryptoServiceProvider dsaBad = new DSACryptoServiceProvider(512);
-        // GOOD: Key size defaults to 1024.
+        // GOOD: Key size defaults to 2048.
         DSACryptoServiceProvider dsaGood1 = new DSACryptoServiceProvider();
-        // GOOD: Key size is greater than 1024.
+        // GOOD: Key size is greater than 2048.
         DSACryptoServiceProvider dsaGood2 = new DSACryptoServiceProvider(2048);
 
-        // BAD: Key size is less than 1024.
+        // BAD: Key size is less than 2048.
         RSACryptoServiceProvider rsaBad = new RSACryptoServiceProvider(512);
-        // GOOD: Key size defaults to 1024.
+        // GOOD: Key size defaults to 2048.
         RSACryptoServiceProvider rsaGood1 = new RSACryptoServiceProvider();
-        // GOOD: Key size is greater than 1024.
+        // GOOD: Key size is greater than 2048.
         RSACryptoServiceProvider rsaGood2 = new RSACryptoServiceProvider(2048);
     }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.expected b/csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.expected
@@ -1,3 +1,3 @@
 | InsufficientKeySize.cs:10:9:10:60 | ... = ... | Key size should be at least 128 bits for RC2 encryption. |
-| InsufficientKeySize.cs:17:43:17:75 | object creation of type DSACryptoServiceProvider | Key size should be at least 1024 bits for DSA encryption. |
-| InsufficientKeySize.cs:24:43:24:75 | object creation of type RSACryptoServiceProvider | Key size should be at least 1024 bits for RSA encryption. |
+| InsufficientKeySize.cs:17:43:17:75 | object creation of type DSACryptoServiceProvider | Key size should be at least 2048 bits for DSA encryption. |
+| InsufficientKeySize.cs:24:43:24:75 | object creation of type RSACryptoServiceProvider | Key size should be at least 2048 bits for RSA encryption. |

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ static public byte[] EncryptWithRSA(byte[] plaintext, RSAParameters key)`
`11`	`11`	`{`
`12`	`12`	`try`
`13`	`13`	`{`
`14`		`- RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(512); // BAD`
	`14`	`+ RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(1024); // BAD`
`15`	`15`	`rsa.ImportParameters(key);`
`16`	`16`	`return rsa.Encrypt(plaintext, true);`
`17`	`17`	`}`
`@@ -27,7 +27,7 @@ static public byte[] EncryptWithRSA2(byte[] plaintext, RSAParameters key)`
`27`	`27`	`try`
`28`	`28`	`{`
`29`	`29`	`RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(); // BAD`
`30`		`- rsa = new RSACryptoServiceProvider(1024); // GOOD`
	`30`	`+ rsa = new RSACryptoServiceProvider(2048); // GOOD`
`31`	`31`	`rsa.ImportParameters(key);`
`32`	`32`	`return rsa.Encrypt(plaintext, true);`
`33`	`33`	`}`
`@@ -58,7 +58,7 @@ static public byte[] EncryptWithDSA2(byte[] plaintext, DSAParameters key)`
`58`	`58`	`try`
`59`	`59`	`{`
`60`	`60`	`DSACryptoServiceProvider dsa = new DSACryptoServiceProvider(); // BAD`
`61`		`- dsa = new DSACryptoServiceProvider(1024); // GOOD`
	`61`	`+ dsa = new DSACryptoServiceProvider(2048); // GOOD`
`62`	`62`	`dsa.ImportParameters(key);`
`63`	`63`	`return dsa.SignData(plaintext);`
`64`	`64`	`}`
`@@ -121,7 +121,7 @@ public static byte[] DSASignHash(byte[] HashToSign, DSAParameters DSAKeyInfo,`
`121`	`121`	`try`
`122`	`122`	`{`
`123`	`123`	`// Create a new instance of DSACryptoServiceProvider.`
`124`		`- using (DSACryptoServiceProvider DSA = new DSACryptoServiceProvider(1024)) // GOOD`
	`124`	`+ using (DSACryptoServiceProvider DSA = new DSACryptoServiceProvider(2048)) // GOOD`
`125`	`125`	`{`
`126`	`126`	`// Import the key information.`
`127`	`127`	`DSA.ImportParameters(DSAKeyInfo);`