Pattern: Use of insecure or sub-optimal cipher
Issue: -
Insecure or sub-optimal cipher could be possibly dangerous and should be replaced with a better alternative such as AES. For example,
DES is now considered insecure because a brute force attack is possible. DES module in Cipher package is provided only for legacy purposes with recommendation to use AES instead.
Use the following table to replace legacy cipher:
| From | To |
|---|---|
| ARC2 | AES |
| ARC4 | ChaCha20 |
| Blowfish | AES |
| DES | AES |
| IDEA | AES |
This rule checks for the following calls:
Crypto.Cipher.ARC2.newCrypto.Cipher.ARC4.newCrypto.Cipher.Blowfish.newCrypto.Cipher.DES.newCrypto.Cipher.XOR.newCryptodome.Cipher.ARC2.newCryptodome.Cipher.ARC4.newCryptodome.Cipher.Blowfish.newCryptodome.Cipher.DES.newCryptodome.Cipher.XOR.newcryptography.hazmat.primitives.ciphers.algorithms.ARC4cryptography.hazmat.primitives.ciphers.algorithms.Blowfishcryptography.hazmat.primitives.ciphers.algorithms.IDEA