Python logoPython/
PTC-W1004

Audit required: Insecure cipherPTC-W1004

Major severityMajor
Security categorySecurity
cwe, a02, a06, cwe-327, owasp-top-10

Cipher used is not secure. It is recommended to replace it with a known secure cipher such as AES.

Following ciphers are considered weak for a variety of reasons:

  • Single DES: DES was never cryptographically broken, but its key length is too short by nowadays standards and it could be brute forced with some effort.
  • BlowFish: Susceptible to attacks when using weak keys.
  • ARC4: Weaknesses in its initial stream output.
  • IDEA: Susceptible to attacks when using weak keys.

New applications should avoid their use and existing applications should strongly consider migrating away.

It is recommended to use AES. AES is both fast and cryptographically strong. It is a good default choice for encryption.

Bad practice

pycryptodome library:

from Crypto.Cipher import ARC4, DES

cipher1 = ARC4.new(key)
cipher2 = DES.new(key, DES.MODE_OFB)

pyca/cryptography library:

from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
cipher = Cipher(algorithms.Blowfish(key), modes.CBC(iv))

pycryptodome library:

from Crypto.Cipher import AES

cipher1 = AES.new(key, AES.MODE_EAX)
cipher2 = AES.new(key, AES.MODE_OFB)

pyca/cryptography library:

from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes

cipher = Cipher(algorithms.AES(key), modes.CBC(iv))

References: