Rule Information
Tags
pythoncryptographyidea64-bit-blocksweet32deprecated-cipherCWE-327OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-003 --project .1
2
3
4
5
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
About This Rule
Understanding the vulnerability and how it is detected
This rule detects instantiation of the IDEA (International Data Encryption Algorithm) cipher via the `cryptography` library's `cryptography.hazmat.primitives.ciphers.algorithms.IDEA` class. IDEA operates on 64-bit blocks, subjecting it to the same Sweet32 birthday attack that affects Blowfish, DES, and 3DES.
IDEA was designed in 1991 as part of the PGP encryption standard. It uses a 128-bit key with an 8-round Feistel-like structure, providing reasonable key strength -- but its 64-bit block size is fundamentally limiting. After 2^32 blocks (~32GB) under the same key, block collisions become probable and ciphertext analysis can recover plaintext. IDEA also carried Swiss patent protection until 2012, which restricted its use in many jurisdictions.
The `cryptography` library's hazmat module includes IDEA only for legacy interoperability. The rule matches `CryptoCipherAlgorithms.method("IDEA")`. There is no block-size-safe way to use IDEA; replace it with AES-256-GCM.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
64-Bit Block Size -- Sweet32 Birthday Attack
IDEA's 64-bit block size creates the same birthday attack surface as Blowfish and 3DES. After roughly 32GB of ciphertext under one key, the probability of a block collision exceeds 50%. In CBC mode, a collision reveals the XOR of two plaintext blocks, enabling gradual plaintext recovery from intercepted traffic or stored data.
2
No Authenticated Encryption
IDEA provides confidentiality only. Without a separate MAC or use of an AEAD mode, any IDEA-encrypted ciphertext can be silently modified. Applications that do not verify integrity before decrypting are exposed to chosen-ciphertext attacks and padding oracle vulnerabilities depending on the block mode.
3
Effectively Abandoned by Cryptographic Standards Bodies
IDEA does not appear in NIST SP 800-131A's list of approved algorithms, is not permitted under FIPS 140-2/3, and has been removed from the TLS cipher suite registry. Its presence in the `cryptography` library exists solely for interoperability with old PGP-encrypted archives, not for new development.
4
Historical Patent Restrictions Limited Audit and Deployment
Until 2012, IDEA was covered by Swiss and US patents, preventing royalty-free use and limiting the breadth of public security analysis compared to open algorithms like AES. The reduced scrutiny relative to AES means fewer known attacks but also less assurance of long-term security.
How to Fix
Recommended remediation steps
- 1Replace IDEA with AES-256-GCM (AESGCM from cryptography.hazmat.primitives.ciphers.aead) for new encryption
- 2Use ChaCha20-Poly1305 as an alternative AEAD cipher if AES hardware acceleration is unavailable
- 3If decrypting legacy IDEA-encrypted data, immediately re-encrypt the plaintext under AES-256-GCM and discard IDEA key material
- 4Enforce key rotation policies so that no single IDEA key is used to encrypt more than a conservative data volume
- 5Run this rule in CI to prevent IDEA from being introduced into new code paths while legacy migration is underway
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule matches calls to the IDEA constructor in the cryptography library's hazmat algorithms module via the QueryType pattern `CryptoCipherAlgorithms.method("IDEA")`. It fires on any IDEA cipher object instantiation regardless of key or mode. The 64-bit block size risk is inherent to the algorithm and cannot be configured away. There is no companion PyCryptodome rule for IDEA as PyCryptodome does not include it.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
OWASP Top 10
A02:2021 - Cryptographic Failures
PCI DSS v4.0
Requirement 4.2.1 -- use strong cryptography for data protection
NIST SP 800-131A
Transitioning to approved algorithms -- RC4/DES/3DES disallowed
NIST SP 800-53
SC-13: Cryptographic Protection
References
External resources and documentation
Similar Rules
Explore related security rules for Python
HIGH
Blowfish Cipher Usage via cryptography Library
Detects use of the Blowfish cipher through the cryptography library, which has a 64-bit block size making it vulnerable to Sweet32 birthday attacks after approximately 32GB of data.
HIGH
Blowfish Cipher Usage via PyCryptodome
Detects use of the Blowfish cipher through PyCryptodome, which has a 64-bit block size making it vulnerable to Sweet32 birthday attacks after approximately 32GB of data.
HIGH
DES Cipher Usage via PyCryptodome
Detects use of single DES through PyCryptodome, which has only a 56-bit key that has been publicly brute-forceable since 1999 and is disallowed by FIPS 46-3 (withdrawn 2005).
Frequently Asked Questions
Common questions about IDEA Cipher Usage via cryptography Library
IDEA's 128-bit key provides adequate key strength against brute-force attacks,
but the limiting factor is the 64-bit block size, not the key. The Sweet32
birthday attack does not target the key -- it exploits block collisions in the
ciphertext. After ~32GB under one key, these collisions leak plaintext regardless
of how strong the key is. AES-128 and above use a 128-bit block size, which
eliminates this entire class of attacks.
Decryption-only usage for existing archives is the legitimate use case for IDEA
in the cryptography library. However, the rule still fires because it cannot
distinguish decryption-only usage from encryption. If your code genuinely only
decrypts legacy archives and never encrypts new data, you can acknowledge the
finding with an inline suppression comment and a migration plan to re-encrypt
the archives under AES-256-GCM.
IDEA was included in early versions of PGP and OpenPGP (RFC 2440). Modern
OpenPGP implementations (RFC 4880 and later) include AES as the primary cipher
and retain IDEA only for backwards compatibility with pre-2000 encrypted messages.
No active protocol negotiates IDEA for new connections.
Until 2012, IDEA was patented in Switzerland and the United States. This
restricted broad deployment and limited the volume of independent public security
research compared to unencumbered algorithms like AES. While no practical attack
beyond the Sweet32 block size issue has been published, the reduced scrutiny means
less confidence in the algorithm's long-term security guarantees.
Yes. The rule matches any IDEA constructor call. If the shim is genuinely
decryption-only and required for legacy archive access, add an inline suppression
with a comment explaining the business justification, and create a backlog item
to migrate the archives to AES-256-GCM. The finding is still valid as a risk
tracking item even if immediate remediation is not feasible.
New feature
Get these findings posted directly on your GitHub pull requests
The IDEA Cipher Usage via cryptography Library rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.