Use of Broken or Risky Cryptographic Algorithm
Description
The Blowfish encryption algorithm is considered insecure for encrypting files over 4GB in size and should be replaced with more secure alternatives like ChaCha20Poly1305 or AES-GCM.
Examples
Insecure Code
python
Cryptodome.Cipher.Blowfish.new(...) or Crypto.Cipher.Blowfish.new(...)Secure Code
python
ChaCha20Poly1305 from cryptography.hazmat.primitives.ciphers.aead or AESGCM from cryptography.hazmat.primitives.ciphers.aeadRemediation
Replace Blowfish with ChaCha20Poly1305 or AES-GCM from the cryptography package.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0115 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-327 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | encryption, Blowfish |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |