/
insecure-cipher-mode-ecb.yaml
33 lines (33 loc) · 1.29 KB
/
insecure-cipher-mode-ecb.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
rules:
- id: insecure-cipher-mode-ecb
message: >-
ECB (Electronic Code Book) is the simplest mode of operation for block ciphers.
Each block of data is encrypted in the same way.
This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output.
Use a different, cryptographically strong mode instead, such as GCM.
metadata:
source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L101
cwe:
- 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
bandit-code: B305
references:
- https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#insecure-modes
- https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption
category: security
technology:
- cryptography
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: MEDIUM
functional-categories:
- crypto::search::mode::cryptography
severity: WARNING
languages:
- python
pattern: cryptography.hazmat.primitives.ciphers.modes.ECB($IV)
fix: cryptography.hazmat.primitives.ciphers.modes.GCM($IV)