Skip to content
This repository has been archived by the owner on Oct 6, 2020. It is now read-only.

Latest commit

 

History

History
78 lines (58 loc) · 2.48 KB

DUO133.md

File metadata and controls

78 lines (58 loc) · 2.48 KB
Raw

DUO133

This linter searches for use of the Crypto module.

The Crypto module is provided by the pycrypto library. This library is no longer maintained and has known vulnerabilities and exploits (dlitz/pycrypto#176, dlitz/pycrypto#253, dlitz/pycrypto#269).

Problematic code

from Crypto.Cipher import AES

obj = AES.new('This is a key', AES.MODE_CBC, 'This is an IV')
message = 'One if by land, two if by sea'
ciphertext = obj.encrypt(message)

Correct code

This is just an example, but if you really are trying to accomplish symmetric key encryption then take a look at Fernet:

from cryptography.fernet import Fernet

key = Fernet.generate_key()
fernet = Fernet(key)
message = b'One if by land, two if by sea'
token = fernet.encrypt(message)

To illustrate corrections to the above code:

from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend

cipher = Cipher(
    algorithms.AES('This is a key'),
    modes.CBC('This is an IV'),
    backend=default_backend()
)
encryptor = cipher.encryptor()
message = b'One if by land, two if by sea'
ciphertext = encryptor.update(message) + encryptor.finalize()
from Cryptodome.Cipher import AES

obj = AES.new('This is a key', AES.MODE_CBC, 'This is an IV')
message = 'One if by land, two if by sea'
ciphertext = obj.encrypt(message)

Rationale

Using pycrypto is insecure for these reasons:

  • The library is unmaintained - future bugs will not be fixed.
  • There are known vulnerabilities along with working exploits.
  • The library's API does not encourage safe-by-default, simple, obvious code. Cryptography operations are notorious difficult, so working with a library that prioritizes simplicity and safety should be preferred.

The cryptography library is considered best-practice in the Python community. The pycryptodomex library should only be used when API-compatibility is necessary and cryptography cannot be used. Note that pycryptodomex is recommended over pycryptodome so Dlint can efficiently detect which library is being used. Both pycrypto and pycryptodome use the Crypto module, whereas pycryptodomex uses Cryptodome. This makes usage easier to detect.

Exceptions

None