Insecure encryption algorithm - Insecure Elliptic Curve - Elixir

Need

Secure encryption

Context

Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
Usage of Crypto package for cryptographic operations in Elixir

Description

Non compliant code

        defmodule MyApp.Insecure do
  def encrypt_data(data) do
    private_key = :crypto.generate_key(:ecdh, :secp160r1)
    {:ok, cipher_text} = :crypto.private_encrypt(:ecdh, data, private_key, :aes_cbc128)
    cipher_text
  end
end

In this insecure code example, the :secp160r1 elliptic curve is used, which is considered weak and therefore insecure. The key generated using this curve is then used to encrypt the data using AES encryption. The weak key might make the encryption vulnerable to attacks.

Steps

Use a secure elliptic curve when generating the key, such as :secp384r1.
Ensure that all the components of the encryption are secure, including the key, the algorithm, and the cipher mode.

Compliant code

        defmodule MyApp.Secure do
  def encrypt_data(data) do
    private_key = :crypto.generate_key(:ecdh, :secp384r1)
    {:ok, cipher_text} = :crypto.private_encrypt(:ecdh, data, private_key, :aes_cbc128)
    cipher_text
  end
end

In this secure code example, the :secp384r1 elliptic curve is used, which is considered secure. The key generated using this curve is then used to encrypt the data using AES encryption. The secure key enhances the security of the encryption.

References

421. Insecure encryption algorithm - Insecure Elliptic Curve