This linter searches for use of the Crypto
module.
The Crypto
module is provided by the pycrypto
library. This library is no longer maintained and has known vulnerabilities
and exploits (dlitz/pycrypto#176,
dlitz/pycrypto#253,
dlitz/pycrypto#269).
from Crypto.Cipher import AES
obj = AES.new('This is a key', AES.MODE_CBC, 'This is an IV')
message = 'One if by land, two if by sea'
ciphertext = obj.encrypt(message)
This is just an example, but if you really are trying to accomplish symmetric key encryption then take a look at Fernet:
from cryptography.fernet import Fernet
key = Fernet.generate_key()
fernet = Fernet(key)
message = b'One if by land, two if by sea'
token = fernet.encrypt(message)
To illustrate corrections to the above code:
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
cipher = Cipher(
algorithms.AES('This is a key'),
modes.CBC('This is an IV'),
backend=default_backend()
)
encryptor = cipher.encryptor()
message = b'One if by land, two if by sea'
ciphertext = encryptor.update(message) + encryptor.finalize()
from Cryptodome.Cipher import AES
obj = AES.new('This is a key', AES.MODE_CBC, 'This is an IV')
message = 'One if by land, two if by sea'
ciphertext = obj.encrypt(message)
Using pycrypto
is insecure for these reasons:
- The library is unmaintained - future bugs will not be fixed.
- There are known vulnerabilities along with working exploits.
- The library's API does not encourage safe-by-default, simple, obvious code. Cryptography operations are notorious difficult, so working with a library that prioritizes simplicity and safety should be preferred.
The cryptography
library is considered best-practice in the Python community.
The pycryptodomex
library should only be used when API-compatibility is
necessary and cryptography
cannot be used. Note that pycryptodomex
is
recommended over pycryptodome
so Dlint can efficiently detect which library
is being used. Both pycrypto
and pycryptodome
use the Crypto
module,
whereas pycryptodomex
uses Cryptodome
. This makes usage easier to detect.
None