2020-06-30 14:41:58 +02:00
include::../description.adoc[]
2021-06-04 14:23:34 +02:00
== Noncompliant Code Example
2020-06-30 14:41:58 +02:00
https://pycryptodome.readthedocs.io[pycryptodomex] library:
----
from Cryptodome.Cipher import DES, DES3, ARC2, ARC4, Blowfish, AES
from Cryptodome.Random import get_random_bytes
key = b'-8B key-'
DES.new(key, DES.MODE_OFB) # Noncompliant: DES works with 56-bit keys allow attacks via exhaustive search
key = DES3.adjust_key_parity(get_random_bytes(24))
cipher = DES3.new(key, DES3.MODE_CFB) # Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack
key = b'Sixteen byte key'
cipher = ARC2.new(key, ARC2.MODE_CFB) # Noncompliant: RC2 is vulnerable to a related-key attack
key = b'Very long and confidential key'
cipher = ARC4.new(key) # Noncompliant: vulnerable to several attacks (see https://en.wikipedia.org/wiki/RC4#Security)
key = b'An arbitrarily long key'
cipher = Blowfish.new(key, Blowfish.MODE_CBC) # Noncompliant: Blowfish use a 64-bit block size makes it vulnerable to birthday attacks
----
https://pycryptodome.readthedocs.io[pycryptodome] library:
----
from Crypto.Cipher import DES, DES3, ARC2, ARC4, Blowfish, AES
from Crypto.Random import get_random_bytes
key = b'-8B key-'
DES.new(key, DES.MODE_OFB) # Noncompliant: DES works with 56-bit keys allow attacks via exhaustive search
key = DES3.adjust_key_parity(get_random_bytes(24))
cipher = DES3.new(key, DES3.MODE_CFB) # Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack
key = b'Sixteen byte key'
cipher = ARC2.new(key, ARC2.MODE_CFB) # Noncompliant: RC2 is vulnerable to a related-key attack
key = b'Very long and confidential key'
cipher = ARC4.new(key) # Noncompliant: vulnerable to several attacks (see https://en.wikipedia.org/wiki/RC4#Security)
key = b'An arbitrarily long key'
cipher = Blowfish.new(key, Blowfish.MODE_CBC) # Noncompliant: Blowfish use a 64-bit block size makes it vulnerable to birthday attacks
----
2020-12-21 15:38:52 +01:00
https://cryptography.io/en/latest/[pyca] library:
2020-06-30 14:41:58 +02:00
----
import os
2021-06-04 14:23:34 +02:00
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
2020-06-30 14:41:58 +02:00
from cryptography.hazmat.backends import default_backend
key = os.urandom(16)
iv = os.urandom(16)
tdes4 = Cipher(algorithms.TripleDES(key), mode=None, backend=default_backend()) # Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack
bf3 = Cipher(algorithms.Blowfish(key), mode=None, backend=default_backend()) # Noncompliant: Blowfish use a 64-bit block size makes it vulnerable to birthday attacks
rc42 = Cipher(algorithms.ARC4(key), mode=None, backend=default_backend()) # Noncompliant: vulnerable to several attacks (see https://en.wikipedia.org/wiki/RC4#Security)
----
2021-04-28 16:49:39 +02:00
https://pypi.org/project/pyDes/[pydes] library:
2020-06-30 14:41:58 +02:00
----
2021-06-04 14:23:34 +02:00
import pyDes;
2020-06-30 14:41:58 +02:00
des1 = pyDes.des('ChangeIt') # Noncompliant: DES works with 56-bit keys allow attacks via exhaustive search
des2 = pyDes.des('ChangeIt', pyDes.CBC, "\0\0\0\0\0\0\0\0", pad=None, padmode=pyDes.PAD_PKCS5) # Noncompliant: DES works with 56-bit keys allow attacks via exhaustive search
tdes1 = pyDes.triple_des('ChangeItWithYourKey!!!!!') # Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack
tdes2 = pyDes.triple_des('ChangeItWithYourKey!!!!!', pyDes.CBC, "\0\0\0\0\0\0\0\0", pad=None, padmode=pyDes.PAD_PKCS5) # Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack
----
2021-02-09 09:19:37 +01:00
https://pycrypto.readthedocs.io/en/latest/[pycrypto] library is not maintained and therefore should not be used:
2020-06-30 14:41:58 +02:00
----
2021-06-04 14:23:34 +02:00
from Crypto.Cipher import *
2020-06-30 14:41:58 +02:00
des3 = DES.new('ChangeIt') # Noncompliant: DES works with 56-bit keys allow attacks via exhaustive search
tdes3 = DES3.new('ChangeItChangeIt') # Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack
2021-06-04 14:23:34 +02:00
bf2 = Blowfish.new('ChangeItWithYourKey', Blowfish.MODE_CBC, 'ChangeIt') # Noncompliant: Blowfish use a 64-bit block size makes it
2020-06-30 14:41:58 +02:00
rc21 = ARC2.new('ChangeItWithYourKey', ARC2.MODE_CFB, 'ChangeIt') # Noncompliant: RC2 is vulnerable to a related-key attack
rc41 = ARC4.new('ChangeItWithYourKey') # Noncompliant: vulnerable to several attacks (see https://en.wikipedia.org/wiki/RC4#Security)
----
== Compliant Solution
https://pycryptodome.readthedocs.io[pycryptodomex] library:
----
from Cryptodome.Cipher import AES
key = b'Sixteen byte key'
cipher = AES.new(key, AES.MODE_CCM) # Compliant
----
https://pycryptodome.readthedocs.io[pycryptodome] library:
----
from Crypto.Cipher import AES
key = b'Sixteen byte key'
cipher = AES.new(key, AES.MODE_CCM) # Compliant
----
2020-12-21 15:38:52 +01:00
https://cryptography.io/en/latest/[pyca] library:
2020-06-30 14:41:58 +02:00
----
import os
2021-06-04 14:23:34 +02:00
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
2020-06-30 14:41:58 +02:00
from cryptography.hazmat.backends import default_backend
key = os.urandom(16)
iv = os.urandom(16)
aes2 = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend()) # Compliant
----
2021-04-26 17:29:13 +02:00
https://pycrypto.readthedocs.io/en/latest/[pycrypto] library is not maintained and therefore should not be used:
2020-06-30 14:41:58 +02:00
----
2021-06-04 14:23:34 +02:00
from Crypto.Cipher import *
2020-06-30 14:41:58 +02:00
aes1 = AES.new('This is a key123', AES.MODE_CBC, 'This is an IV456') # Compliant
----
include::../see.adoc[]
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
