== How to fix it in Cryptodome

=== Code examples

The example uses a hardcoded IV as a nonce, which causes AES-CCM to be insecure. To fix it, a nonce is randomly generated instead.

==== Noncompliant code example

[source,python,diff-id=101,diff-type=noncompliant]
----
from Crypto.Cipher import AES

def encrypt(key, plaintext):
    nonce   = '7cVgr5cbdCZV'.encode('utf-8')
    cipher = AES.new(key, AES.MODE_CCM, nonce)

    cipher.encrypt(plaintext)  # Noncompliant
----

==== Compliant solution

[source,python,diff-id=101,diff-type=compliant]
----
from Crypto.Cipher import AES

def encrypt(key, plaintext):
    cipher  = AES.new(key, AES.MODE_CCM)

    cipher.encrypt_and_digest(plaintext)
----

include::../../common/how-does-this-work.adoc[]