python.cryptography.security.insecure-cipher-algorithms-arc4.insecure-cipher-algorithm-arc4
returntocorpAuthor
unknown
Download Count*
License
Detected ARC4 cipher algorithm which is considered insecure. The algorithm is considered weak and has been deprecated. Use AES instead.
Run Locally
Run in CI
Defintion
rules:
- id: insecure-cipher-algorithm-arc4
pattern: cryptography.hazmat.primitives.ciphers.algorithms.ARC4(...)
message: Detected ARC4 cipher algorithm which is considered insecure. The
algorithm is considered weak and has been deprecated. Use AES instead.
metadata:
source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
bandit-code: B304
references:
- https://tools.ietf.org/html/rfc5469
category: security
technology:
- cryptography
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
severity: WARNING
languages:
- python
Examples
insecure-cipher-algorithms-arc4.py
# cf. https://github.com/PyCQA/bandit/blob/b78c938c0bd03d201932570f5e054261e10c5750/examples/ciphers.py
from cryptography.hazmat.primitives.ciphers import Cipher
from cryptography.hazmat.primitives.ciphers import algorithms
from cryptography.hazmat.primitives.ciphers import modes
from cryptography.hazmat.backends import default_backend
from struct import pack
# ruleid:insecure-cipher-algorithm-arc4
cipher = Cipher(algorithms.ARC4(key), mode=None, backend=default_backend())
encryptor = cipher.encryptor()
ct = encryptor.update(b"a secret message")
# ok:insecure-cipher-algorithm-arc4
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
encryptor = cipher.encryptor()
ct = encryptor.update(b"a secret message") + encryptor.finalize()
Short Link: https://sg.run/xoZL