python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
99,223
Download Count*

IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the cryptography package it is recommended to use Fernet which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the Cipher class from the hazmat primitives but use the AES algorithm instead.

Run Locally

Run in CI

Defintion

rules:
  - id: insecure-cipher-algorithm-idea
    message: IDEA (International Data Encryption Algorithm) is a block cipher
      created in 1991.  It is an optional component of the OpenPGP standard.
      This cipher is susceptible to attacks when using weak keys.  It is
      recommended that you do not use this cipher for new applications. Use a
      strong symmetric cipher such as EAS instead. With the `cryptography`
      package it is recommended to use `Fernet` which is a secure implementation
      of AES in CBC mode with a 128-bit key.  Alternatively, keep using the
      `Cipher` class from the hazmat primitives but use the AES algorithm
      instead.
    metadata:
      source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      bandit-code: B304
      references:
        - https://tools.ietf.org/html/rfc5469
        - https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA
      category: security
      technology:
        - cryptography
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      functional-categories:
        - crypto::search::symmetric-algorithm::cryptography
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    severity: WARNING
    languages:
      - python
    patterns:
      - pattern: cryptography.hazmat.primitives.ciphers.algorithms.$IDEA($KEY)
      - metavariable-regex:
          metavariable: $IDEA
          regex: ^(IDEA)$
      - focus-metavariable: $IDEA
    fix: AES

Examples

insecure-cipher-algorithms.py

# cf. https://github.com/PyCQA/bandit/blob/b78c938c0bd03d201932570f5e054261e10c5750/examples/ciphers.py

from cryptography.hazmat.primitives.ciphers import Cipher
from cryptography.hazmat.primitives.ciphers import algorithms
from cryptography.hazmat.primitives.ciphers import modes
from cryptography.hazmat.backends import default_backend
from struct import pack

# ruleid:insecure-cipher-algorithm-idea
cipher = Cipher(algorithms.IDEA(key), mode=None, backend=default_backend())
encryptor = cipher.encryptor()
ct = encryptor.update(b"a secret message")

# ok:insecure-cipher-algorithm-idea
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
encryptor = cipher.encryptor()
ct = encryptor.update(b"a secret message") + encryptor.finalize()