Python: Add qhelp for new query.

markshannon · markshannon · commit 3c4c8cf7d3d4 · 2018-11-28T16:57:34.000Z
diff --git a/python/ql/src/Security/CWE-326/WeakCrypto.qhelp b/python/ql/src/Security/CWE-326/WeakCrypto.qhelp
@@ -0,0 +1,53 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Modern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key.
+As computational power increases, the ability to break ciphers grows and keys need to become larger.
+</p>
+<p>
+There are three main asymmetric key algorithms in use:
+<ul>
+<li>Rivest–Shamir–Adleman (RSA) cryptography</li>
+<li>Digital Signature Algorithm (DSA)</li>
+<li>Elliptic-curve cryptography (ECC)</li>
+</ul>
+With current technology, key sizes of 2048 bits for RSA and DSA,
+or 224 bits for ECC, are regarded as unbreakable.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Increase the key size to the recommended amount or larger. For RSA or DSA this is at least 2048 bits, for ECC this is at least 224 bits.
+</p>
+</recommendation>
+
+<references>
+<li>
+Wikipedia:
+<a href="https://en.wikipedia.org/wiki/Digital_Signature_Algorithm">Digital Signature Algorithm</a>.
+</li>
+<li>
+Wikipedia:
+<a href="https://en.wikipedia.org/wiki/RSA_(cryptosystem)">RSA cryptosystem</a>.
+</li>
+<li>
+Wikipedia:
+<a href="https://en.wikipedia.org/wiki/Elliptic-curve_cryptography">Elliptic-curve cryptography</a>.
+</li>
+<li>
+Python cryptography module:
+<a href="https://cryptography.io/en/latest/"</a>.
+</li>
+<li>
+NIST:
+<a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf">
+Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths</a>.
+</li>
+</references>
+</qhelp>
+
