python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish
semgrep
Author
unknown
Download Count*
License
Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the cryptography
package it is recommended to use Fernet
which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the Cipher
class from the hazmat primitives but use the AES algorithm instead.
Run Locally
Run in CI
Defintion
rules:
- id: insecure-cipher-algorithm-blowfish
message: Blowfish is a block cipher developed by Bruce Schneier. It is known to
be susceptible to attacks when using weak keys. The author has
recommended that users of Blowfish move to newer algorithms such as AES.
With the `cryptography` package it is recommended to use `Fernet` which is
a secure implementation of AES in CBC mode with a 128-bit
key. Alternatively, keep using the `Cipher` class from the hazmat
primitives but use the AES algorithm instead.
metadata:
source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
bandit-code: B304
references:
- https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers
- https://tools.ietf.org/html/rfc5469
category: security
technology:
- cryptography
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
functional-categories:
- crypto::search::symmetric-algorithm::cryptography
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
severity: WARNING
languages:
- python
patterns:
- pattern: cryptography.hazmat.primitives.ciphers.algorithms.$BLOWFISH($KEY)
- metavariable-regex:
metavariable: $BLOWFISH
regex: ^(Blowfish)$
- focus-metavariable: $BLOWFISH
fix: AES
Examples
insecure-cipher-algorithms-blowfish.py
# cf. https://github.com/PyCQA/bandit/blob/b78c938c0bd03d201932570f5e054261e10c5750/examples/ciphers.py
from cryptography.hazmat.primitives.ciphers import Cipher
from cryptography.hazmat.primitives.ciphers import algorithms
from cryptography.hazmat.primitives.ciphers import modes
from cryptography.hazmat.backends import default_backend
from struct import pack
# ruleid:insecure-cipher-algorithm-blowfish
cipher = Cipher(algorithms.Blowfish(key), mode=None, backend=default_backend())
encryptor = cipher.encryptor()
ct = encryptor.update(b"a secret message")
# ok:insecure-cipher-algorithm-blowfish
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
encryptor = cipher.encryptor()
ct = encryptor.update(b"a secret message") + encryptor.finalize()
Short Link: https://sg.run/OdzL