# PYTHON-CRYPTO-SEC-003: IDEA Cipher Usage via cryptography Library > **Severity:** HIGH | **CWE:** CWE-327 | **OWASP:** A02:2021 - **Language:** Python - **Category:** Cryptography - **URL:** https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-003 - **Detection:** `pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-003 --project .` ## Description This rule detects instantiation of the IDEA (International Data Encryption Algorithm) cipher via the `cryptography` library's `cryptography.hazmat.primitives.ciphers.algorithms.IDEA` class. IDEA operates on 64-bit blocks, subjecting it to the same Sweet32 birthday attack that affects Blowfish, DES, and 3DES. IDEA was designed in 1991 as part of the PGP encryption standard. It uses a 128-bit key with an 8-round Feistel-like structure, providing reasonable key strength -- but its 64-bit block size is fundamentally limiting. After 2^32 blocks (~32GB) under the same key, block collisions become probable and ciphertext analysis can recover plaintext. IDEA also carried Swiss patent protection until 2012, which restricted its use in many jurisdictions. The `cryptography` library's hazmat module includes IDEA only for legacy interoperability. The rule matches `CryptoCipherAlgorithms.method("IDEA")`. There is no block-size-safe way to use IDEA; replace it with AES-256-GCM. ## Vulnerable Code ```python from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.backends import default_backend idea_key = b'\x00' * 16 cipher = Cipher(algorithms.IDEA(idea_key), modes.CBC(b'\x00' * 8), backend=default_backend()) ``` ## Secure Code ```python from cryptography.hazmat.primitives.ciphers.aead import AESGCM import os # SECURE: AES-256-GCM provides both confidentiality and integrity key = AESGCM.generate_key(bit_length=256) aesgcm = AESGCM(key) nonce = os.urandom(12) ct = aesgcm.encrypt(nonce, b"sensitive data", associated_data=None) ``` ## Detection Rule (Python SDK) ```python from rules.python_decorators import python_rule from codepathfinder import calls, flows, QueryType from codepathfinder.presets import PropagationPresets class CryptoCipherAlgorithms(QueryType): fqns = ["cryptography.hazmat.primitives.ciphers.algorithms"] @python_rule( id="PYTHON-CRYPTO-SEC-003", name="Insecure IDEA Cipher", severity="HIGH", category="cryptography", cwe="CWE-327", tags="python,cryptography,idea,weak-cipher,CWE-327", message="IDEA cipher is deprecated. Use AES instead.", owasp="A02:2021", ) def detect_idea_cipher(): """Detects IDEA cipher usage in cryptography lib.""" return CryptoCipherAlgorithms.method("IDEA") ``` ## How to Fix - Replace IDEA with AES-256-GCM (AESGCM from cryptography.hazmat.primitives.ciphers.aead) for new encryption - Use ChaCha20-Poly1305 as an alternative AEAD cipher if AES hardware acceleration is unavailable - If decrypting legacy IDEA-encrypted data, immediately re-encrypt the plaintext under AES-256-GCM and discard IDEA key material - Enforce key rotation policies so that no single IDEA key is used to encrypt more than a conservative data volume - Run this rule in CI to prevent IDEA from being introduced into new code paths while legacy migration is underway ## Security Implications - **64-Bit Block Size -- Sweet32 Birthday Attack:** IDEA's 64-bit block size creates the same birthday attack surface as Blowfish and 3DES. After roughly 32GB of ciphertext under one key, the probability of a block collision exceeds 50%. In CBC mode, a collision reveals the XOR of two plaintext blocks, enabling gradual plaintext recovery from intercepted traffic or stored data. - **No Authenticated Encryption:** IDEA provides confidentiality only. Without a separate MAC or use of an AEAD mode, any IDEA-encrypted ciphertext can be silently modified. Applications that do not verify integrity before decrypting are exposed to chosen-ciphertext attacks and padding oracle vulnerabilities depending on the block mode. - **Effectively Abandoned by Cryptographic Standards Bodies:** IDEA does not appear in NIST SP 800-131A's list of approved algorithms, is not permitted under FIPS 140-2/3, and has been removed from the TLS cipher suite registry. Its presence in the `cryptography` library exists solely for interoperability with old PGP-encrypted archives, not for new development. - **Historical Patent Restrictions Limited Audit and Deployment:** Until 2012, IDEA was covered by Swiss and US patents, preventing royalty-free use and limiting the breadth of public security analysis compared to open algorithms like AES. The reduced scrutiny relative to AES means fewer known attacks but also less assurance of long-term security. ## FAQ **Q: IDEA uses a 128-bit key. Isn't that strong enough for modern use?** IDEA's 128-bit key provides adequate key strength against brute-force attacks, but the limiting factor is the 64-bit block size, not the key. The Sweet32 birthday attack does not target the key -- it exploits block collisions in the ciphertext. After ~32GB under one key, these collisions leak plaintext regardless of how strong the key is. AES-128 and above use a 128-bit block size, which eliminates this entire class of attacks. **Q: We use IDEA only to decrypt old PGP archives. Should we still fix this?** Decryption-only usage for existing archives is the legitimate use case for IDEA in the cryptography library. However, the rule still fires because it cannot distinguish decryption-only usage from encryption. If your code genuinely only decrypts legacy archives and never encrypts new data, you can acknowledge the finding with an inline suppression comment and a migration plan to re-encrypt the archives under AES-256-GCM. **Q: Is IDEA still used in any current protocols or formats?** IDEA was included in early versions of PGP and OpenPGP (RFC 2440). Modern OpenPGP implementations (RFC 4880 and later) include AES as the primary cipher and retain IDEA only for backwards compatibility with pre-2000 encrypted messages. No active protocol negotiates IDEA for new connections. **Q: How does the IDEA patent history affect security?** Until 2012, IDEA was patented in Switzerland and the United States. This restricted broad deployment and limited the volume of independent public security research compared to unencumbered algorithms like AES. While no practical attack beyond the Sweet32 block size issue has been published, the reduced scrutiny means less confidence in the algorithm's long-term security guarantees. **Q: Will this rule flag IDEA if it appears in a compatibility shim that only decrypts?** Yes. The rule matches any IDEA constructor call. If the shim is genuinely decryption-only and required for legacy archive access, add an inline suppression with a comment explaining the business justification, and create a backlog item to migrate the archives to AES-256-GCM. The finding is still valid as a risk tracking item even if immediate remediation is not feasible. ## References - [CWE-327: Use of a Broken or Risky Cryptographic Algorithm](https://cwe.mitre.org/data/definitions/327.html) - [Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN](https://sweet32.info/) - [NIST SP 800-131A Rev 2: Transitioning the Use of Cryptographic Algorithms](https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final) - [IDEA Cipher -- Original Paper by Lai and Massey (1991)](https://link.springer.com/chapter/10.1007/3-540-46877-3_35) - [OWASP Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/) --- Source: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-003 Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis