python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
99,223
Download Count*

Detected ECB cipher mode which is considered insecure. The algorithm can potentially leak information about the plaintext. Use CBC mode instead.

Run Locally

Run in CI

Defintion

rules:
  - id: insecure-cipher-mode-ecb
    pattern: cryptography.hazmat.primitives.ciphers.modes.ECB(...)
    message: Detected ECB cipher mode which is considered insecure. The algorithm
      can potentially leak information about the plaintext. Use CBC mode
      instead.
    metadata:
      source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L101
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      bandit-code: B305
      references:
        - https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption
      category: security
      technology:
        - cryptography
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: WARNING
    languages:
      - python

Examples

insecure-cipher-mode-ecb.py

# cf. https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/examples/cipher-modes.py

from cryptography.hazmat.primitives.ciphers.modes import CBC
from cryptography.hazmat.primitives.ciphers.modes import ECB


# Insecure mode
# ruleid: insecure-cipher-mode-ecb
mode = ECB(iv)

# Secure cipher and mode
# ok: insecure-cipher-mode-ecb
cipher = AES.new(key, blockalgo.MODE_CTR, iv)

# Secure mode
# ok: insecure-cipher-mode-ecb
mode = CBC(iv)