Rule Information
Tags
pythonpycryptodomerc2arc2weak-key-scheduleeffective-key-lengthCWE-327OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-004 --project .1
2
3
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
About This Rule
Understanding the vulnerability and how it is detected
This rule detects calls to `Crypto.Cipher.ARC2.new()` from the PyCryptodome library. RC2 (also known as ARC2 to avoid trademark issues) is a 64-bit block cipher designed in 1987. Its effective key length can be configured independently of its nominal key size via the `effective_keylen` parameter, making it possible to silently operate with only 40 bits of security -- a level brute-forceable in minutes with commodity hardware.
RC2 was designed during the US export control era, when algorithms were deliberately weakened to 40-bit effective strength for export. Many protocol implementations default to or accept 40-bit effective key length. The algorithm also has a known-plaintext attack that is more efficient than brute force for certain key lengths. NIST SP 800-131A does not approve RC2 for any use case.
The rule matches `PyCryptoCipherARC2.method("new")`. Even at maximum effective key strength, RC2 retains a 64-bit block size (Sweet32 risk) and an aging design. There is no justification for RC2 in new code.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Effective Key Length Configurable Down to 40 Bits
PyCryptodome's ARC2.new() accepts an `effective_keylen` parameter that controls the actual security level independently of key length. The default and common export-era setting is 40 bits -- a search space of 2^40, which a modern GPU cluster can exhaust in minutes. Code that omits `effective_keylen` or sets it to a low value provides minimal encryption strength regardless of how many bytes the key contains.
2
64-Bit Block Size -- Sweet32 Birthday Attack
Like Blowfish, DES, and 3DES, RC2 uses 8-byte blocks. After approximately 32GB of ciphertext under the same key, block collisions become probable. In CBC mode, these collisions can be exploited to recover plaintext segments, particularly in long-lived encrypted channels or bulk data stores.
3
Known-Plaintext Attacks More Efficient Than Brute Force
RC2's key schedule has structural weaknesses that allow related-key attacks and known-plaintext attacks that reduce the effective search space below the nominal key length. At 128-bit key length, the algorithm has not been comprehensively vetted against modern cryptanalytic techniques the way AES has been through its public competition and standardization process.
4
Export Control Legacy -- Deliberate Weakening for Compliance
RC2 was designed in an era when US export regulations required algorithms to be no stronger than 40-bit effective key length for non-US users. The algorithm was intentionally designed with configurable weakening. Code that inherits or copies RC2 usage from old sources may unknowingly retain 40-bit effective key settings, providing nearly no cryptographic protection.
How to Fix
Recommended remediation steps
- 1Replace Crypto.Cipher.ARC2 with AES in GCM mode (AES.new(key, AES.MODE_GCM)) for authenticated encryption
- 2Use ChaCha20-Poly1305 via the cryptography library as an alternative AEAD cipher
- 3Never use RC2 with effective_keylen below 128 -- even at maximum strength, RC2 is not recommended for new code
- 4Re-encrypt any data stored under RC2 using AES-256-GCM and rotate all key material
- 5Audit any protocol negotiation code to ensure 40-bit or 56-bit effective key lengths cannot be selected
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule matches calls to `Crypto.Cipher.ARC2.new()` in PyCryptodome via the QueryType pattern `PyCryptoCipherARC2.method("new")`. It fires on any ARC2 cipher object instantiation regardless of the effective_keylen or mode parameter. Even at maximum effective key length, RC2 retains a 64-bit block size and is not approved for new use by any current standard. No sanitizer exclusions are defined.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
OWASP Top 10
A02:2021 - Cryptographic Failures
PCI DSS v4.0
Requirement 4.2.1 -- use strong cryptography for data protection
NIST SP 800-131A
Transitioning to approved algorithms -- RC4/DES/3DES disallowed
NIST SP 800-53
SC-13: Cryptographic Protection
References
External resources and documentation
Similar Rules
Explore related security rules for Python
HIGH
RC4 (ARC4) Cipher Usage via cryptography Library
Detects use of the RC4 stream cipher through the cryptography library's ARC4 algorithm, which has known keystream biases and is prohibited by RFC 7465.
HIGH
RC4 (ARC4) Cipher Usage via PyCryptodome
Detects use of the RC4 stream cipher through PyCryptodome's ARC4 module, which has known keystream biases and is prohibited by RFC 7465.
HIGH
DES Cipher Usage via PyCryptodome
Detects use of single DES through PyCryptodome, which has only a 56-bit key that has been publicly brute-forceable since 1999 and is disallowed by FIPS 46-3 (withdrawn 2005).
Frequently Asked Questions
Common questions about RC2 (ARC2) Cipher Usage via PyCryptodome
Setting effective_keylen to 128 gives RC2 its maximum theoretical strength
and avoids the export-era weakening. However, RC2 still uses a 64-bit block
size (Sweet32 risk), has a comparatively unvetted key schedule, and is not
approved by NIST SP 800-131A for any use case. It provides weaker security
guarantees than AES-128-GCM, which has a 128-bit block size and has been
extensively analyzed through the AES competition and two decades of deployment.
PyCryptodome defaults to effective_keylen equal to the actual key length, up to
128 bits. However, many legacy codebases and protocol implementations that
originally targeted 40-bit or 56-bit export strength may pass low values
explicitly. The risk is that the parameter is easy to overlook or misconfigure,
and there is no enforcement mechanism preventing weak settings in production.
S/MIME and PKCS#12 (PFX files) historically defaulted to RC2-40 for content
encryption. Modern implementations should specify AES-128-CBC or AES-256-CBC
for PKCS#12 and AES-256-GCM for S/MIME content. Review the library or framework
you use for certificate packaging, as most modern versions support AES by default
when configured correctly.
Both are broken legacy ciphers. RC4 is a stream cipher with fundamental keystream
biases. RC2 is a block cipher with a configurable weakness (effective key length)
and a 64-bit block size. RC4 is generally considered more immediately dangerous
due to the practical attacks demonstrated against it in TLS traffic. RC2 is
dangerous primarily due to the effective key length issue and 64-bit block size.
Neither should be used for new development.
NIST SP 800-131A Rev 2 does not list RC2 among approved algorithms for any
security strength. PCI DSS v4.0 Requirement 4.2.1 requires "strong cryptography"
for cardholder data, and RC2 at typical key settings does not meet this bar.
Any system assessed under FIPS 140-2 or 140-3 cannot use RC2 for encryption
of sensitive data.
New feature
Get these findings posted directly on your GitHub pull requests
The RC2 (ARC2) Cipher Usage via PyCryptodome rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.