Python
JavaScript
Java
Go
C#
Ansible
AWS CloudFormation Linter
C & C++
Dart Analyze
Docker
Kotlin
KubeLinter
PHP
Ruby
Rust
Scala
Secrets
Shell
Slither
Solhint
SQL
Swift
Terraform
Test coverageAudit required: Insecure cipherPTC-W1004
Major
Security cwe, a02, a06, cwe-327, owasp-top-10
Cipher used is not secure. It is recommended to replace it with a known secure cipher such as AES.
Following ciphers are considered weak for a variety of reasons:
- Single DES: DES was never cryptographically broken, but its key length is too short by nowadays standards and it could be brute forced with some effort.
- BlowFish: Susceptible to attacks when using weak keys.
- ARC4: Weaknesses in its initial stream output.
- IDEA: Susceptible to attacks when using weak keys.
New applications should avoid their use and existing applications should strongly consider migrating away.
It is recommended to use AES. AES is both fast and cryptographically strong. It is a good default choice for encryption.
Bad practice
from Crypto.Cipher import ARC4, DES
cipher1 = ARC4.new(key)
cipher2 = DES.new(key, DES.MODE_OFB)
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
cipher = Cipher(algorithms.Blowfish(key), modes.CBC(iv))
Recommended
pycryptodome library:
from Crypto.Cipher import AES
cipher1 = AES.new(key, AES.MODE_EAX)
cipher2 = AES.new(key, AES.MODE_OFB)
pyca/cryptography library:
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
cipher = Cipher(algorithms.AES(key), modes.CBC(iv))
References:
- OWASP Top 10 2021 Category A02 - Cryptographic Failures
- OWASP Top 10 2021 Category A06 - Vulnerable and Outdated Components
- CWE 327 - Use of a Broken or Risky Cryptographic Algorithm