Use of broken or risky cryptographic algorithm
Description
DES, TripleDES, RC2, and RC4 are considered broken or insecure cryptographic algorithms. Newer algorithms apply message integrity to validate ciphertext and prevent tampering. Consider using ChaCha20Poly1305 instead, as it is easier and faster than alternatives like AES-256-GCM.
Examples
Insecure Code
python
Cryptodome.Cipher.DES.new(...) or Crypto.Cipher.DES.new(...)Secure Code
python
ChaCha20Poly1305(key) or AESGCM(key)Remediation
Replace insecure algorithms with ChaCha20Poly1305 or AES-256-GCM, and ensure the use of secure key generation and nonce regeneration.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0116 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-327 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | insecure algorithm, cryptographic failure |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |