Rule Information
Tags
pythonpycryptodomedes56-bit-keybrute-forcebroken-cryptoCWE-327OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-005 --project .1
2
3
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
About This Rule
Understanding the vulnerability and how it is detected
This rule detects calls to `Crypto.Cipher.DES.new()` from the PyCryptodome library. DES (Data Encryption Standard) uses a 56-bit key. In 1999, the EFF's Deep Crack machine broke a DES-encrypted challenge in 22 hours. Modern GPU clusters can exhaust the entire DES keyspace in minutes. The algorithm is completely broken for confidentiality purposes.
DES was standardized in 1977 and was already under brute-force pressure by the late 1990s. FIPS 46-3 (the DES standard) was formally withdrawn in 2005. NIST SP 800-131A disallows DES for all uses. The 64-bit block size also exposes DES to the Sweet32 birthday attack for any key, and its eight S-boxes have been studied extensively with differential and linear cryptanalysis.
The rule matches `PyCryptoCipherDES.method("new")`. There is no safe way to use single DES. See PYTHON-CRYPTO-SEC-005a for the companion rule covering 3DES.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
56-Bit Key Brute-Forceable in Under 24 Hours
DES's 56-bit key space (2^56 = ~72 quadrillion keys) was publicly brute-forced in 22 hours in 1999 using the EFF DES Cracker costing $250,000. Modern commodity GPU clusters perform this attack in minutes. Any DES-encrypted data should be considered compromised if an attacker had access to the ciphertext.
2
FIPS 46-3 Formally Withdrawn in 2005
The DES standard FIPS 46-3 was withdrawn by NIST in 2005 and is no longer approved for any federal information processing use. Systems that encrypt sensitive data with DES are automatically non-compliant with FISMA, FedRAMP, HIPAA Security Rule technical safeguards, and PCI DSS.
3
64-Bit Block Size Adds Sweet32 Exposure
Beyond the key length problem, DES uses a 64-bit block size. Under sustained encryption with the same key, block collisions become probable after ~32GB -- enabling birthday-bound plaintext recovery attacks. A single encryption session is unlikely to reach this limit, but long-running services that reuse DES keys accumulate ciphertext toward this threshold.
4
No Authentication -- Vulnerable to Chosen-Ciphertext Attacks
DES in any mode available via PyCryptodome (CBC, CFB, OFB, ECB) provides no integrity or authentication. CBC mode DES without a MAC is vulnerable to padding oracle and chosen-ciphertext attacks. ECB mode leaks plaintext patterns directly. Neither mode is safe for any use case.
How to Fix
Recommended remediation steps
- 1Replace Crypto.Cipher.DES with AES in GCM mode (AES.new(key, AES.MODE_GCM)) for authenticated encryption
- 2Use ChaCha20-Poly1305 via the cryptography library as an alternative when AES hardware acceleration is unavailable
- 3Treat all data previously encrypted with DES as potentially compromised and assess exposure accordingly
- 4Generate 256-bit (32-byte) AES keys using os.urandom(32) or a proper KDF like PBKDF2/scrypt/Argon2
- 5Audit all key derivation and storage code when migrating from DES -- a DES key is 8 bytes; an AES-256 key is 32 bytes
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule matches calls to `Crypto.Cipher.DES.new()` in PyCryptodome via the QueryType pattern `PyCryptoCipherDES.method("new")`. It fires on any single-DES cipher object instantiation regardless of mode (CBC, ECB, CFB, OFB, CTR). There is no safe configuration for single DES. The companion rule PYTHON-CRYPTO-SEC-005a covers Triple DES (3DES, DES3) in PyCryptodome.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
OWASP Top 10
A02:2021 - Cryptographic Failures
PCI DSS v4.0
Requirement 4.2.1 -- use strong cryptography for data protection
NIST SP 800-131A
Transitioning to approved algorithms -- RC4/DES/3DES disallowed
NIST SP 800-53
SC-13: Cryptographic Protection
FIPS 46-3
DES standard withdrawn in 2005 -- no longer approved for use
References
External resources and documentation
Similar Rules
Explore related security rules for Python
MEDIUM
Triple DES (3DES) Cipher Usage via PyCryptodome
Detects use of Triple DES (3DES) through PyCryptodome, which has a 64-bit block size vulnerable to Sweet32 birthday attacks and was deprecated by NIST after 2023.
HIGH
RC4 (ARC4) Cipher Usage via cryptography Library
Detects use of the RC4 stream cipher through the cryptography library's ARC4 algorithm, which has known keystream biases and is prohibited by RFC 7465.
HIGH
RC4 (ARC4) Cipher Usage via PyCryptodome
Detects use of the RC4 stream cipher through PyCryptodome's ARC4 module, which has known keystream biases and is prohibited by RFC 7465.
Frequently Asked Questions
Common questions about DES Cipher Usage via PyCryptodome
Yes. Internal systems are common lateral movement targets. An attacker who
compromises any internal host can collect DES-encrypted data and brute-force
it in minutes. Even if the data itself is low-sensitivity today, using DES
normalizes weak cryptography practices and creates technical debt. Compliance
frameworks like PCI DSS and HIPAA apply to system configurations regardless
of the perceived sensitivity of specific data sets.
The 1999 EFF DES Cracker cost $250,000 and broke DES in 22 hours. A 2023
GPU cluster costing a few thousand dollars can exhaust the 2^56 DES keyspace
in under an hour. Cloud computing makes this accessible to any attacker for
under $100. DES provides no meaningful confidentiality against any motivated
adversary with commodity resources.
Interoperability constraints are the most common reason for legacy cipher usage.
The correct path is to negotiate a protocol upgrade with the mainframe team --
most modern mainframe systems support AES. As a temporary measure, minimize the
sensitivity of data exchanged over the DES channel and document the risk formally.
Add a migration deadline and track it. Do not let the temporary workaround become
permanent.
PyCryptodome includes DES for interoperability with legacy systems and protocols
that require decryption of existing data. The library cannot remove DES without
breaking valid use cases like reading old encrypted files or communicating with
systems that have not been updated. Inclusion in the library is a backward
compatibility decision, not an endorsement of DES for new encryption.
PYTHON-CRYPTO-SEC-005 flags single DES (Crypto.Cipher.DES), which uses one
56-bit key. PYTHON-CRYPTO-SEC-005a flags Triple DES (Crypto.Cipher.DES3), which
applies DES three times with two or three different keys. 3DES is stronger than
single DES but still has the 64-bit block size (Sweet32) and was deprecated by
NIST after 2023. Both rules recommend AES-256-GCM as the replacement.
PCI DSS QSAs treat any use of DES as an automatic failure under Requirement 4.2.1,
which mandates strong cryptography. DES findings during a PCI assessment will
block certification until remediated. FedRAMP assessors classify DES usage as a
HIGH finding under NIST SP 800-53 SC-13. Running this rule in CI provides
evidence that DES is not present in the codebase for audit purposes.
New feature
Get these findings posted directly on your GitHub pull requests
The DES Cipher Usage via PyCryptodome rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.