Is this similar to https://github.com/github/codeql/blob/master/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp and https://github.com/github/codeql/blob/master/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql ?

Is this similar to https://github.com/github/codeql/blob/master/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp and https://github.com/github/codeql/blob/master/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql ?

Hi!
Not exactly. Proposed query could be used for detection of incorrect usage of secure algorithms (for example, AES-128 ECB which could be vulnerable for CPA), when mentioned query is about known-weak algorithms.
Maybe, it should be more appropriate to merge proposed query with https://github.com/github/codeql/blob/master/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql

@monkey-junkie In case you didn't know:

^ Pro tip: in the "Files changed" view, you have the option of adding review suggestions to a batch and commit them all at once.

• Is there ever a valid reason to reuse a given IV for multiple plaintexts?

I think this is the mistake that Sony made in the Playstation 3 (article).
I'm not sure if this was a chosen chosen-plaintext attack.

After studying this a little more I start to wonder if this should be moved to BrokenCryptoAlgorithm. The chosen-plaintext vector seemed really interesting at first, but now it seems to me these crypto algorithms are insecure even if the attacker can't choose the plaintext.

Two questions:

• Is there ever a valid reason to use ECB when an outsider can't control the plaintext?
• Is there ever a valid reason to reuse a given IV for multiple plaintexts?

If not, I think we can move these sinks into BrokenCryptoAlgorithm and just flag them regardless of whether the plaintext is tainted.

If there are valid reasons (and we could thus get FPs from BrokenCryptoAlgorithm), I'd appreciate it if the documentation is more specific to chosen-plaintext attacks rather than the generic "incorrect usage" term. For example, the @description could be:

Encrypting user-controlled plaintexts with ECB or with a reused IV enables an attacker to recover the secret key via chosen-plaintext attack.

(keep in mind I'm not a cryptographer so the above description may be wrong, in particular the part about actually recovering the key)

Hi!

Is there ever a valid reason to use ECB when an outsider can't control the plaintext?

No.

Is there ever a valid reason to reuse a given IV for multiple plaintexts?

According to RFC for CTR mode, "The same IV and key combination MUST NOT be used more than once" so, technically, it is safe to use static IV with unique encryption key per message, but unique encryption key is very rare case.

In sum, I think you are right and whe should move query to BrokenCryptoAlgorithm with additional check for key uniqueness (based on getContainer, like for unique IV in my ConstIVSink class).
So I'm going to add my updated pr to BrokenCryptoAlgorithm, if you dont mind.

So I'm going to add my updated pr to BrokenCryptoAlgorithm, if you dont mind.

Thanks. Please go ahead.

Closing the PR due to inactivity, but feel free to reopen if you wish to continue work on it.

Overall I think the ECB and reused-IV stuff could be useful to have in query suite in some form, so I'd be happy to see it re-opened. In retrospect I wish I had not suggested moving it into the non-experimental BrokenCryptoAlgorithm query because the requirements are higher for such queries, and it's just more work to integrate with the abstraction we use internally. Merging as an experimental query would have been better than closing the PR unmerged like this.