python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-blowfish

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
99,223
Download Count*

Detected Blowfish cipher algorithm which is considered insecure. The algorithm has many known vulnerabilities. Use AES instead.

Run Locally

Run in CI

Defintion

rules:
  - id: insecure-cipher-algorithm-blowfish
    pattern: cryptography.hazmat.primitives.ciphers.algorithms.Blowfish(...)
    message: Detected Blowfish cipher algorithm which is considered insecure. The
      algorithm has many known vulnerabilities. Use AES instead.
    metadata:
      source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L96
      cwe: "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp: "A3: Sensitive Data Exposure"
      bandit-code: B304
      references:
        - https://sweet32.info/
      category: security
      technology:
        - cryptography
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: WARNING
    languages:
      - python

Examples

insecure-cipher-algorithms.py

# cf. https://github.com/PyCQA/bandit/blob/b78c938c0bd03d201932570f5e054261e10c5750/examples/ciphers.py

from cryptography.hazmat.primitives.ciphers import Cipher
from cryptography.hazmat.primitives.ciphers import algorithms
from cryptography.hazmat.primitives.ciphers import modes
from cryptography.hazmat.backends import default_backend
from struct import pack

# ruleid:insecure-cipher-algorithm-rc4
cipher = Cipher(algorithms.ARC4(key), mode=None, backend=default_backend())
encryptor = cipher.encryptor()
ct = encryptor.update(b"a secret message")

# ruleid:insecure-cipher-algorithm-blowfish
cipher = Cipher(algorithms.Blowfish(key), mode=None, backend=default_backend())
encryptor = cipher.encryptor()
ct = encryptor.update(b"a secret message")

# ruleid:insecure-cipher-algorithm-idea
cipher = Cipher(algorithms.IDEA(key), mode=None, backend=default_backend())
encryptor = cipher.encryptor()
ct = encryptor.update(b"a secret message")

# ok:insecure-cipher-algorithm-idea
# ok:insecure-cipher-algorithm-rc4
# ok:insecure-cipher-algorithm-blowfish
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
encryptor = cipher.encryptor()
ct = encryptor.update(b"a secret message") + encryptor.finalize()