Use of broken or risky cryptographic algorithm
Description
DES, TripleDES, RC2, and RC4 are considered broken or insecure cryptographic algorithms. Newer algorithms apply message integrity to validate ciphertext and prevent tampering. Consider using ChaCha20Poly1305 instead, as it is easier and faster than alternatives like AES-256-GCM.
Examples
Insecure Code
python
cryptography.hazmat.primitives.ciphers.algorithms.ARC4()Secure Code
python
from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305
key = ChaCha20Poly1305.generate_key()
chacha = ChaCha20Poly1305(key)Remediation
Replace the insecure algorithm with a secure one like ChaCha20Poly1305 or AES-256-GCM, and ensure nonce values are regenerated every time they are used.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0124 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-327 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | insecure algorithm, cryptographic failure |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |