This vulnerability makes it possible that the cleartext of the encrypted message might be recoverable without prior knowledge of the key.

Why is this an issue?

Encryption algorithms are essential for protecting sensitive information and ensuring secure communication in various domains. They are used for several important reasons:

When selecting encryption algorithms, tools, or combinations, you should also consider two things:

  1. No encryption is unbreakable.
  2. The strength of an encryption algorithm is usually measured by the effort required to crack it within a reasonable time frame.

For these reasons, as soon as cryptography is included in a project, it is important to choose encryption algorithms that are considered strong and secure by the cryptography community.

What is the potential impact?

The cleartext of an encrypted message might be recoverable. Additionally, it might be possible to modify the cleartext of an encrypted message.

Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the vulnerability.

Theft of sensitive data

The encrypted message might contain data that is considered sensitive and should not be known to third parties.

By using a weak algorithm the likelihood that an attacker might be able to recover the cleartext drastically increases.

Additional attack surface

By modifying the cleartext of the encrypted message it might be possible for an attacker to trigger other vulnerabilities in the code. Encrypted values are often considered trusted, since under normal circumstances it would not be possible for a third party to modify them.

How to fix it in Cryptodome

Code examples

The following code contains examples of algorithms that are not considered highly resistant to cryptanalysis and thus should be avoided.

Noncompliant code example

from Crypto.Cipher import DES # pycryptodome
from Cryptodome.Cipher import DES # pycryptodomex

cipher = DES.new(key, DES.MODE_OFB) # Noncompliant

Compliant solution

from Crypto.Cipher import AES # pycryptodome
from Cryptodome.Cipher import AES # pycryptodomex

cipher = AES.new(key, AES.MODE_CCM)

How does this work?

Use a secure algorithm

It is highly recommended to use an algorithm that is currently considered secure by the cryptographic community. A common choice for such an algorithm is the Advanced Encryption Standard (AES).

For block ciphers, it is not recommended to use algorithms with a block size that is smaller than 128 bits.

How to fix it in pyca

Code examples

The following code contains examples of algorithms that are not considered highly resistant to cryptanalysis and thus should be avoided.

Noncompliant code example

from cryptography.hazmat.primitives.ciphers import Cipher, algorithms

cipher = Cipher(algorithms.TripleDES(key), mode=None)  # Noncompliant

Compliant solution

from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes

cipher = Cipher(algorithms.AES(key), modes.CTR(nonce))

In this example, the counter mode (CTR) of AES is used. This mode takes a cryptographic nonce (a number used only once) as its initialization vector (IV). This value must never be reused, as doing so allows attackers to decrypt any message encrypted with the same key.

How does this work?

Use a secure algorithm

It is highly recommended to use an algorithm that is currently considered secure by the cryptographic community. A common choice for such an algorithm is the Advanced Encryption Standard (AES).

For block ciphers, it is not recommended to use algorithms with a block size that is smaller than 128 bits.

How to fix it in PyCrypto

Code examples

The following code contains examples of algorithms that are not considered highly resistant to cryptanalysis and thus should be avoided.

Noncompliant code example

from Crypto.Cipher import DES

cipher = DES.new(key, DES.MODE_OFB) # Noncompliant

Compliant solution

PyCrypto is deprecated, thus it is recommended to use another library like PyCryptodome.

from Crypto.Cipher import AES # pycryptodome
from Cryptodome.Cipher import AES # pycryptodomex

cipher = AES.new(key, AES.MODE_CCM)

How does this work?

Use a secure algorithm

It is highly recommended to use an algorithm that is currently considered secure by the cryptographic community. A common choice for such an algorithm is the Advanced Encryption Standard (AES).

For block ciphers, it is not recommended to use algorithms with a block size that is smaller than 128 bits.

How to fix it in pyDes

Code examples

The following code contains examples of algorithms that are not considered highly resistant to cryptanalysis and thus should be avoided.

Noncompliant code example

import pyDes

cipher = pyDes.des(key) # Noncompliant

Compliant solution

Since pyDes only provides DES, it is recommended to use another library like pyca/cryptography.

from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes

cipher = Cipher(algorithms.AES(key), modes.CTR(nonce))

In this example, the counter mode (CTR) of AES is used. This mode takes a cryptographic nonce (a number used only once) as its initialization vector (IV). This value must never be reused, as doing so allows attackers to decrypt any message encrypted with the same key.

How does this work?

Use a secure algorithm

It is highly recommended to use an algorithm that is currently considered secure by the cryptographic community. A common choice for such an algorithm is the Advanced Encryption Standard (AES).

For block ciphers, it is not recommended to use algorithms with a block size that is smaller than 128 bits.

How to fix it in ssl

Code examples

The following code contains examples of algorithms that are not considered highly resistant to cryptanalysis and thus should be avoided.

Noncompliant code example

import ssl

ciphers = 'RC4-SHA:RC4-MD5'
ctx = ssl.create_default_context()
ctx.set_ciphers(ciphers)  # Noncompliant

Compliant solution

import ssl

ctx = ssl.create_default_context()

How does this work?

It is recommended to not override the ciphers but instead, use the secure default ciphers of the module, as they might change over time. If specific cipher suites need to be enabled or disabled, then this is also possible by adding them after the DEFAULT cipher suite string.

For example, DEFAULT:!RSA:!SHA enables all default cipher suites except those using RSA and SHA1. DEFAULT:HIGH+AESGCM enables all default cipher suites, as well as all high encryption cipher suites that use AES-GCM.

More information about possible options can be found in the OpenSSL documentation.

How to fix it in OpenSSL

Code examples

The following code contains examples of algorithms that are not considered highly resistant to cryptanalysis and thus should be avoided.

Noncompliant code example

from OpenSSL import SSL

ciphers = b"DEFAULT:RC4-SHA:RC4-MD5"
ctx = SSL.Context(SSL.TLS1_3_VERSION)
ctx.set_cipher_list(ciphers)  # Noncompliant

Compliant solution

from OpenSSL import SSL

ctx = SSL.Context(SSL.TLS1_3_VERSION)

How does this work?

It is recommended to not override the ciphers but instead, use the secure default ciphers of the module, as they might change over time. If specific cipher suites need to be enabled or disabled, then this is also possible by adding them after the DEFAULT cipher suite string.

For example, DEFAULT:!RSA:!SHA enables all default cipher suites except those using RSA and SHA1. DEFAULT:HIGH+AESGCM enables all default cipher suites, as well as all high encryption cipher suites that use AES-GCM.

More information about possible options can be found in the OpenSSL documentation.

Resources

Standards