Cryptographic Weakness from DES/3DES Usage in PyCryptodome

High Risk Cryptographic Vulnerabilities
pythonpycryptodomedes3desweak-cryptoencryption

What it is

Cryptographic weakness where code uses DES or 3DES encryption algorithms which have small key sizes (56 bits for DES) and known vulnerabilities. These algorithms are susceptible to brute-force attacks and collision attacks due to their small block size (64 bits). Modern computing power makes DES/3DES encryption easily breakable, allowing attackers to decrypt sensitive data and tamper with ciphertext integrity.

from Crypto.Cipher import DES
from Crypto.Random import get_random_bytes

# VULNERABLE: DES has only 56-bit key strength
def encrypt_data(plaintext, key):
    cipher = DES.new(key, DES.MODE_ECB)
    
    # Pad plaintext to 8-byte blocks
    padded = plaintext + b'\x00' * (8 - len(plaintext) % 8)
    
    return cipher.encrypt(padded)

# Weak: 8-byte key for DES
key = get_random_bytes(8)
encrypted = encrypt_data(b'Secret data', key)
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes

# SECURE: AES-GCM with authentication
def encrypt_data(plaintext, key):
    nonce = get_random_bytes(12)
    cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)
    
    ciphertext, tag = cipher.encrypt_and_digest(plaintext)
    
    return {'nonce': nonce, 'ciphertext': ciphertext, 'tag': tag}

def decrypt_data(encrypted, key):
    cipher = AES.new(key, AES.MODE_GCM, nonce=encrypted['nonce'])
    plaintext = cipher.decrypt_and_verify(
        encrypted['ciphertext'], encrypted['tag'])
    return plaintext

# Strong: 32-byte key for AES-256
key = get_random_bytes(32)
encrypted = encrypt_data(b'Secret data', key)

💡 Why This Fix Works

The vulnerable code uses DES with a weak 56-bit key and ECB mode without authentication. The secure version uses AES-256 (256-bit key) with GCM mode which provides both confidentiality and authentication, preventing decryption and tampering.

Why it happens

Using DES.new() from PyCryptodome which has a 56-bit effective key size.

Root causes

Using Legacy DES Encryption

Using DES.new() from PyCryptodome which has a 56-bit effective key size.

Using Insecure ECB Mode

Combining weak ciphers with insecure modes like ECB that don't provide authentication.

Legacy System Compatibility

Maintaining DES/3DES for compatibility with old systems instead of upgrading.

Fixes

1

Replace with AES-GCM

Use AES with GCM mode which provides both encryption and authentication.

2

Use 256-bit Keys

Generate 32-byte keys for AES-256 instead of 8-byte DES keys.

3

Generate Secure Nonces

Use get_random_bytes() to generate unique nonces for each encryption operation.

Detect This Vulnerability in Your Code

Sourcery automatically identifies cryptographic weakness from des/3des usage in pycryptodome and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities