Use of Broken or Risky Cryptographic Algorithm
Description
The Blowfish encryption algorithm is considered insecure for encrypting files over 4GB in size and should be replaced with more secure alternatives like ChaCha20Poly1305 or AES-GCM.
Examples
Insecure Code
python
cryptography.hazmat.primitives.ciphers.algorithms.Blowfish(...)Secure Code
python
from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305
key = ChaCha20Poly1305.generate_key()
chacha = ChaCha20Poly1305(key)Remediation
Replace Blowfish with ChaCha20Poly1305 or AES-GCM for secure encryption.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0125 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-327 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | encryption, Blowfish |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |