python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea
Verifed by r2c
Community Favorite
semgrep
Author
99,223
Download Count*
License
IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the cryptography
package it is recommended to use Fernet
which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the Cipher
class from the hazmat primitives but use the AES algorithm instead.
Run Locally
Run in CI
Defintion
rules:
- id: insecure-cipher-algorithm-idea
message: IDEA (International Data Encryption Algorithm) is a block cipher
created in 1991. It is an optional component of the OpenPGP standard.
This cipher is susceptible to attacks when using weak keys. It is
recommended that you do not use this cipher for new applications. Use a
strong symmetric cipher such as EAS instead. With the `cryptography`
package it is recommended to use `Fernet` which is a secure implementation
of AES in CBC mode with a 128-bit key. Alternatively, keep using the
`Cipher` class from the hazmat primitives but use the AES algorithm
instead.
metadata:
source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
bandit-code: B304
references:
- https://tools.ietf.org/html/rfc5469
- https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA
category: security
technology:
- cryptography
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
functional-categories:
- crypto::search::symmetric-algorithm::cryptography
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
severity: WARNING
languages:
- python
patterns:
- pattern: cryptography.hazmat.primitives.ciphers.algorithms.$IDEA($KEY)
- metavariable-regex:
metavariable: $IDEA
regex: ^(IDEA)$
- focus-metavariable: $IDEA
fix: AES
Examples
insecure-cipher-algorithms.py
# cf. https://github.com/PyCQA/bandit/blob/b78c938c0bd03d201932570f5e054261e10c5750/examples/ciphers.py
from cryptography.hazmat.primitives.ciphers import Cipher
from cryptography.hazmat.primitives.ciphers import algorithms
from cryptography.hazmat.primitives.ciphers import modes
from cryptography.hazmat.backends import default_backend
from struct import pack
# ruleid:insecure-cipher-algorithm-idea
cipher = Cipher(algorithms.IDEA(key), mode=None, backend=default_backend())
encryptor = cipher.encryptor()
ct = encryptor.update(b"a secret message")
# ok:insecure-cipher-algorithm-idea
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
encryptor = cipher.encryptor()
ct = encryptor.update(b"a secret message") + encryptor.finalize()
Short Link: https://sg.run/3xyK