Rule Information
Tags
gosecuritycryptodes3destriple-dessweet32birthday-attackCWE-327OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset golang/GO-CRYPTO-003 --project .1
2
3
4
5
6
7
8
9
10
11
12
13
14
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Cross-file analysis: 3 files
About This Rule
Understanding the vulnerability and how it is detected
**DES (Data Encryption Standard)**: Standardized in 1977 with a 56-bit key (2^56 ≈ 72 quadrillion combinations). The EFF's "Deep Crack" machine broke a DES-encrypted message in 22 hours and 15 minutes in January 1999, spending approximately $250,000 on hardware. Modern cloud infrastructure makes DES key exhaustion trivial. DES must never be used.
**3DES (Triple DES / TDEA)**: 3DES applies DES three times with independent keys, providing 112-bit effective security. However, 3DES retains DES's 64-bit block size — and that is its fatal weakness.
The **SWEET32 attack** (Bhargavan and Leurent, ACM CCS 2016; CVE-2016-2183) exploits the birthday bound of 64-bit block ciphers. In CBC mode, after approximately 2^32 blocks (32 GB of data encrypted under the same key), a block collision is expected with ~50% probability. From a block collision, the attacker can XOR two ciphertext blocks to recover the XOR of the corresponding plaintexts. In a proof-of-concept, researchers recovered a 16-byte HTTP BasicAuth session cookie in under 38 hours by sending ~785 GB of HTTPS requests in the background of a long-lived TLS session.
**NIST retirement**: NIST SP 800-131A Rev 2 (2019) deprecated 3DES for applying cryptographic protection through December 31, 2023, and **disallowed it after that date**. As of 2024, 3DES is prohibited for encryption under all NIST guidance. Legacy decryption (reading old data) remains allowed to preserve interoperability.
**Replacement**: AES-GCM is the correct modern replacement. AES operates on 128-bit blocks (birthday bound: 2^64 blocks = 256 exabytes — unreachable in practice), and GCM is an AEAD construction providing authenticated encryption and integrity in a single pass.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
SWEET32 Session Decryption (CVE-2016-2183)
A 3DES-CBC TLS session carrying 32+ GB of data is vulnerable to birthday attack block collision. The SWEET32 proof-of-concept recovered session cookie credentials (HTTP BasicAuth username and password) in under 38 hours of sustained traffic. This affected approximately 1–2% of TLS connections in 2016.
2
DES Brute Force
DES with its 56-bit key can be exhausted in hours using modern hardware. Any encrypted data or keys protected only by DES must be considered compromised.
3
Long-Lived Session Vulnerability
VPN tunnels, database connection pools, and long-running API sessions are particularly vulnerable to SWEET32 because the same session key encrypts traffic over extended time periods, making 32 GB accumulation realistic.
How to Fix
Recommended remediation steps
- 1Replace des.NewCipher and des.NewTripleDESCipher with aes.NewCipher + cipher.NewGCM.
- 2Use 32-byte (256-bit) keys for AES-256-GCM for strongest security.
- 3Never reuse a GCM nonce with the same key — use crypto/rand for fresh 12-byte nonces.
- 4AES-GCM provides both confidentiality and integrity — no separate MAC step needed.
- 5For TLS configuration, Go's crypto/tls defaults are safe — do not add 3DES cipher suites.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
Detects all calls to crypto/des package methods (NewCipher, NewTripleDESCipher). Both DES and 3DES are flagged — DES because its key is trivially exhausted, 3DES because it is disallowed by NIST as of January 1, 2024.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
NIST SP 800-131A Rev 2 (2019)
Two-key TDEA (2DES): disallowed for encryption.
Three-key TDEA (3DES) for encryption: deprecated through Dec 31, 2023; disallowed after.
URL: https://csrc.nist.gov/pubs/sp/800/131/a/r2/final
PCI DSS v4.0
Requirement 4.2.1 — Strong cryptography required. 3DES not considered strong.
OWASP Top 10
A02:2021 — Cryptographic Failures
References
External resources and documentation
SWEET32 — Birthday attacks on 64-bit block ciphers (sweet32.info)SWEET32 paper: On the Practical (In-)Security of 64-bit Block Ciphers (ACM CCS 2016)EFF Deep Crack — DES 56-bit key exhaustion (1999)NIST SP 800-131A Revision 2 — Transitioning Cryptographic AlgorithmsSWEET32 explained — NCC Group Cryptography ServicesGo crypto/aes package documentationGo crypto/cipher package documentation (AES-GCM)Go crypto/des package documentationCWE-327: Use of a Broken or Risky Cryptographic AlgorithmOWASP Cryptographic Storage Cheat Sheet
Similar Rules
Explore related security rules for Go
HIGH
Use of MD5 Weak Hash Algorithm
Detects use of MD5 (crypto/md5) which is cryptographically broken — collision attacks are feasible in seconds and GPU cracking reaches 164 billion hashes/second.
HIGH
Use of SHA1 Weak Hash Algorithm
Detects use of SHA1 (crypto/sha1) which has a proven collision (SHAttered, 2017) and is deprecated by NIST for all applications through 2030.
HIGH
Use of RC4 Stream Cipher
Detects use of RC4 (crypto/rc4) which is prohibited in TLS by RFC 7465 (2015), has known statistical keystream biases, and is labeled "cryptographically broken" in the Go standard library.
Frequently Asked Questions
Common questions about Use of DES or 3DES Weak Cipher
**DES (Data Encryption Standard)**: Standardized in 1977 with a 56-bit key (2^56 ≈ 72
quadrillion combinations). The EFF's "Deep Crack" machine broke a DES-encrypted message
in 22 hours and 15 minutes in January 1999, spending approximately $250,000 on hardware.
Modern cloud infrastructure makes DES key exhaustion trivial. DES must never be used.
**3DES (Triple DES / TDEA)**: 3DES applies DES three times with independent keys, providing
112-bit effective security. However, 3DES retains DES's 64-bit block size — and that is
its fatal weakness.
The **SWEET32 attack** (Bhargavan and Leurent, ACM CCS 2016; CVE-2016-2183) exploits the
birthday bound of 64-bit block ciphers. In CBC mode, after approximately 2^32 blocks
(32 GB of data encrypted under the same key), a block collision is expected with ~50%
probability. From a block collision, the attacker can XOR two ciphertext blocks to
recover the XOR of the corresponding plaintexts. In a proof-of-concept, researchers
recovered a 16-byte HTTP BasicAuth session cookie in under 38 hours by sending ~785 GB
of HTTPS requests in the background of a long-lived TLS session.
**NIST retirement**: NIST SP 800-131A Rev 2 (2019) deprecated 3DES for applying
cryptographic protection through December 31, 2023, and **disallowed it after that date**.
As of 2024, 3DES is prohibited for encryption under all NIST guidance. Legacy decryption
(reading old data) remains allowed to preserve interoperability.
**Replacement**: AES-GCM is the correct modern replacement. AES operates on 128-bit blocks
(birthday bound: 2^64 blocks = 256 exabytes — unreachable in practice), and GCM is an
AEAD construction providing authenticated encryption and integrity in a single pass.
Use Code Pathfinder to scan your codebase: pathfinder scan --ruleset golang/GO-CRYPTO-003 --project .
This vulnerability is rated as HIGH severity.
Yes! Code Pathfinder allows you to customize rules. Modify detection patterns, adjust severity levels, add custom sanitizers, and configure the rule to fit your organization's security policies.
New feature
Get these findings posted directly on your GitHub pull requests
The Use of DES or 3DES Weak Cipher rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.