Rule Information
Tags
pythonpycryptodomerc4arc4stream-cipherbroken-cryptoCWE-327OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-001a --project .1
2
3
4
5
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
About This Rule
Understanding the vulnerability and how it is detected
This rule detects calls to `Crypto.Cipher.ARC4.new()` from the PyCryptodome library. RC4 (marketed under the alias ARC4 to avoid trademark issues) is a stream cipher that has been cryptographically broken since the early 2000s and explicitly prohibited in TLS by RFC 7465 since 2015.
PyCryptodome's ARC4 module is a direct implementation of the RC4 keystream generator. It produces a statistically biased output: the first 256 bytes of keystream are strongly correlated with the key, making it possible to recover the key or plaintext from sufficient ciphertext. The RC4NOMORE attack demonstrated full HTTP session cookie recovery within 75 hours against live HTTPS traffic using RC4 cipher suites.
The rule matches `PyCryptoCipherARC4.method("new")` -- the constructor call for ARC4 cipher objects in PyCryptodome. No mode or key size makes RC4 safe. The companion rule PYTHON-CRYPTO-SEC-001 covers the same algorithm in the `cryptography` library.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Biased Keystream Enables Statistical Plaintext Recovery
RC4's keystream generator produces output with measurable statistical biases, particularly in the first 256 bytes. An attacker who can collect multiple ciphertexts encrypted under the same key -- or in the case of web sessions, repeated encryptions of the same secret -- can recover the plaintext using known-plaintext or distinguishing attacks within a practical time frame.
2
Prohibited in TLS by RFC 7465
RFC 7465 (2015) forbids the negotiation of any RC4-based TLS cipher suite. If PyCryptodome ARC4 is used in a transport encryption context, it violates this requirement outright. Systems subject to PCI DSS, HIPAA, or government security frameworks will receive mandatory findings for RC4 usage.
3
No Integrity Protection -- Bit-Flip Attacks Apply
ARC4 in PyCryptodome operates as a raw XOR stream cipher with no MAC or authentication tag. An attacker with write access to the ciphertext can flip any bit and the corresponding plaintext bit will flip predictably, enabling undetected modification of encrypted content.
4
Key Reuse Reveals Both Plaintexts
Reusing an ARC4 key across two plaintexts produces two ciphertexts whose XOR equals the XOR of the two plaintexts. Standard crib-dragging techniques can then recover both messages without the key. Any code that wraps ARC4 in a loop or reuses key material is immediately vulnerable.
How to Fix
Recommended remediation steps
- 1Replace Crypto.Cipher.ARC4 with AES in GCM mode (AES.new(key, AES.MODE_GCM)) for authenticated encryption
- 2Use the cryptography library's ChaCha20Poly1305 AEAD primitive as an alternative to AES-GCM
- 3Never reuse a key with ARC4 or any stream cipher -- always derive a fresh key per encryption session
- 4If migrating from ARC4, re-encrypt all stored data with AES-256-GCM and rotate the key material
- 5Enable this rule in CI/CD pipelines to catch any re-introduction of ARC4 through library version changes
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule matches calls to `Crypto.Cipher.ARC4.new()` in PyCryptodome via the QueryType pattern `PyCryptoCipherARC4.method("new")`. It fires on any instantiation of an ARC4 cipher object, regardless of the key length passed. There is no safe usage of RC4, so no sanitizer exclusions are defined. The companion rule PYTHON-CRYPTO-SEC-001 covers the same algorithm in the `cryptography` hazmat library.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
OWASP Top 10
A02:2021 - Cryptographic Failures
PCI DSS v4.0
Requirement 4.2.1 -- use strong cryptography for data protection
NIST SP 800-131A
Transitioning to approved algorithms -- RC4/DES/3DES disallowed
NIST SP 800-53
SC-13: Cryptographic Protection
RFC 7465
RC4 cipher suites are prohibited in all versions of TLS
References
External resources and documentation
Similar Rules
Explore related security rules for Python
HIGH
RC4 (ARC4) Cipher Usage via cryptography Library
Detects use of the RC4 stream cipher through the cryptography library's ARC4 algorithm, which has known keystream biases and is prohibited by RFC 7465.
HIGH
Blowfish Cipher Usage via PyCryptodome
Detects use of the Blowfish cipher through PyCryptodome, which has a 64-bit block size making it vulnerable to Sweet32 birthday attacks after approximately 32GB of data.
HIGH
DES Cipher Usage via PyCryptodome
Detects use of single DES through PyCryptodome, which has only a 56-bit key that has been publicly brute-forceable since 1999 and is disallowed by FIPS 46-3 (withdrawn 2005).
Frequently Asked Questions
Common questions about RC4 (ARC4) Cipher Usage via PyCryptodome
No. The rule specifically matches calls to ARC4.new(), not generic imports of
the Crypto.Cipher package. Only the instantiation of an ARC4 cipher object
triggers a finding. Other PyCryptodome ciphers (AES, ChaCha20) are not flagged
by this rule.
The RC4NOMORE research (2015) demonstrated full cookie recovery in approximately
75 hours of sustained traffic against a target using RC4 in TLS. For offline
attacks against stored data where an attacker controls the plaintext partially
(known-plaintext scenario), recovery can be significantly faster depending on
data volume and keystream reuse.
No. PyCryptodome's AES in GCM mode has a very similar API: AES.new(key, AES.MODE_GCM),
followed by encrypt_and_digest(). The key size changes from 5-16 bytes (RC4 accepts
variable lengths) to a fixed 16, 24, or 32 bytes (128/192/256-bit AES). The main
change is storing and verifying the authentication tag, which ARC4 does not produce.
With AES-GCM, encrypt_and_digest() returns both the ciphertext and a 16-byte
authentication tag. Store both. On decryption, pass the tag to decrypt_and_verify()
-- it raises ValueError if the tag does not match, indicating tampering. This is
strictly better than RC4, which gives you no tamper detection at all.
Both. Internal tools that encrypt data at rest or in transit using RC4 are
vulnerable to insider threat and lateral movement scenarios. An attacker who
compromises any internal system can collect RC4-encrypted traffic and process
it offline. Compliance frameworks like SOC 2 and ISO 27001 require strong
cryptography for all sensitive data, regardless of whether the system is
internet-facing.
New feature
Get these findings posted directly on your GitHub pull requests
The RC4 (ARC4) Cipher Usage via PyCryptodome rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.