Blowfish Cipher Usage via PyCryptodome

HIGH

Detects use of the Blowfish cipher through PyCryptodome, which has a 64-bit block size making it vulnerable to Sweet32 birthday attacks after approximately 32GB of data.

Rule Information

Language
Python
Category
Cryptography
Author
Shivasurya
Shivasurya
Last Updated
2026-03-22
Tags
pythonpycryptodomeblowfishsweet32birthday-attack64-bit-blockCWE-327OWASP-A02
CWE References
CWE-327

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-002a --project .
1
2
3
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

About This Rule

Understanding the vulnerability and how it is detected

This rule detects calls to `Crypto.Cipher.Blowfish.new()` from the PyCryptodome library. Blowfish operates on 64-bit blocks, making it susceptible to the Sweet32 birthday attack (CVE-2016-2183) once approximately 32GB of data is encrypted under the same key.

The birthday paradox dictates that with a 64-bit block cipher in CBC or CFB mode, block collisions become probable after 2^32 encrypted blocks. An attacker who can observe sufficient ciphertext can leverage these collisions to recover plaintext segments, most notably session tokens in web traffic. Following the public disclosure of Sweet32 in 2016, all major browsers and TLS stacks disabled 64-bit block cipher suites.

The rule matches `PyCryptoCipherBlowfish.method("new")` -- any instantiation of a Blowfish cipher object via PyCryptodome. Blowfish's wide key range (32 to 448 bits) does not mitigate the block size problem. The companion rule PYTHON-CRYPTO-SEC-002 covers Blowfish in the `cryptography` library.

Security Implications

Potential attack scenarios if this vulnerability is exploited

1

Sweet32 Birthday Attack After 32GB of Ciphertext

PyCryptodome's Blowfish operates on 8-byte blocks. After 2^32 blocks (~32GB) under the same key, block collisions become statistically likely. In CBC mode, a collision between two ciphertext blocks allows an attacker who knows one corresponding plaintext to recover the other. For services encrypting session data or bulk files with a persistent key, 32GB is reachable within hours.

2

CBC Mode Without MAC Creates Padding Oracle Exposure

PyCryptodome's Blowfish in CBC mode without a separate HMAC produces unauthenticated ciphertext. Applications that return different error responses for invalid padding versus decryption failure inadvertently expose a padding oracle. An attacker can decrypt arbitrary ciphertext blocks by sending carefully crafted inputs and measuring response behavior.

3

Superseded by AES Over Two Decades Ago

AES was standardized in 2001 specifically to replace aging 64-bit block ciphers. PyCryptodome includes Blowfish only for legacy compatibility. Any new code that selects Blowfish over AES is choosing a demonstrably weaker algorithm for no technical benefit.

4

No Hardware Acceleration Path

Modern CPUs include AES-NI instructions that make AES-GCM exceptionally fast. Blowfish has no hardware acceleration path and is slower than AES-NI-accelerated AES in typical deployments. There is no performance argument for Blowfish.

How to Fix

Recommended remediation steps

  • 1Replace Crypto.Cipher.Blowfish with AES in GCM mode (AES.new(key, AES.MODE_GCM)) for authenticated encryption
  • 2Use ChaCha20-Poly1305 via the cryptography library if AES hardware acceleration is unavailable
  • 3If a block cipher mode other than GCM is required, always pair it with HMAC-SHA256 to detect ciphertext tampering
  • 4Re-encrypt any data stored with Blowfish under AES-256-GCM and rotate all Blowfish key material
  • 5Confirm no Blowfish cipher suites remain enabled in TLS configuration alongside this code-level fix

Detection Scope

How Code Pathfinder analyzes your code for this vulnerability

This rule matches calls to `Crypto.Cipher.Blowfish.new()` in PyCryptodome via the QueryType pattern `PyCryptoCipherBlowfish.method("new")`. It fires on any Blowfish cipher object instantiation, regardless of key size or cipher mode (CBC, CFB, OFB, ECB). The 64-bit block size vulnerability applies to all Blowfish configurations. The companion rule PYTHON-CRYPTO-SEC-002 covers Blowfish in the `cryptography` hazmat library.

Compliance & Standards

Industry frameworks and regulations that require detection of this vulnerability

OWASP Top 10
A02:2021 - Cryptographic Failures
PCI DSS v4.0
Requirement 4.2.1 -- use strong cryptography for data protection
NIST SP 800-131A
Transitioning to approved algorithms -- RC4/DES/3DES disallowed
NIST SP 800-53
SC-13: Cryptographic Protection

References

External resources and documentation

CWE-327: Use of a Broken or Risky Cryptographic AlgorithmSweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPNCVE-2016-2183: Sweet32 vulnerabilityNIST SP 800-131A Rev 2: Transitioning the Use of Cryptographic AlgorithmsOWASP Cryptographic FailuresPyCryptodome Blowfish Documentation

Similar Rules

Explore related security rules for Python

HIGH

Blowfish Cipher Usage via cryptography Library

Detects use of the Blowfish cipher through the cryptography library, which has a 64-bit block size making it vulnerable to Sweet32 birthday attacks after approximately 32GB of data.

HIGH

IDEA Cipher Usage via cryptography Library

Detects use of the IDEA cipher through the cryptography library, which has a 64-bit block size making it vulnerable to Sweet32 birthday attacks and is deprecated in modern cryptographic standards.

HIGH

DES Cipher Usage via PyCryptodome

Detects use of single DES through PyCryptodome, which has only a 56-bit key that has been publicly brute-forceable since 1999 and is disallowed by FIPS 46-3 (withdrawn 2005).

Frequently Asked Questions

Common questions about Blowfish Cipher Usage via PyCryptodome

If keys are truly unique per file and never reused, the risk from Sweet32 is minimal for small files -- you need 32GB of ciphertext under one key for the birthday bound to be significant. However, per-key uniqueness is operationally difficult to guarantee, key management complexity increases, and there is still no integrity protection without a separate MAC. AES-GCM solves all of this cleanly with a single primitive.
PyCryptodome maintains Blowfish for interoperability with legacy systems that require it for decryption of existing data. Inclusion in a library does not indicate safety for new encryption. The library's own documentation marks Blowfish as a legacy cipher and recommends AES for new applications.
Read each Blowfish-encrypted file, decrypt using the stored key, then re-encrypt using AES.new(key256, AES.MODE_GCM) and store the new ciphertext along with the nonce and authentication tag. Update your key storage to hold 32-byte AES keys instead of Blowfish keys. Delete the original Blowfish- encrypted copies and the old keys after successful migration.
PyCryptodome supports Blowfish in CBC, CFB, OFB, and ECB modes. None of them are safe for new code. ECB is the worst (identical plaintext blocks produce identical ciphertext). CBC, CFB, and OFB are all affected by the Sweet32 block size problem when sufficient data is encrypted. AES in GCM mode is the correct replacement for all of these.
No. This rule targets `Crypto.Cipher.Blowfish.new()` -- the symmetric cipher. PyCryptodome's bcrypt implementation (Crypto.Protocol.KDF) uses the Blowfish key schedule as a one-way function for password hashing, which is a different and appropriate use case. Bcrypt is not flagged by this rule.

New feature

Get these findings posted directly on your GitHub pull requests

The Blowfish Cipher Usage via PyCryptodome rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works
Back to CryptographyAll Languages →