# PYTHON-CRYPTO-SEC-005: DES Cipher Usage via PyCryptodome > **Severity:** HIGH | **CWE:** CWE-327 | **OWASP:** A02:2021 - **Language:** Python - **Category:** Cryptography - **URL:** https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-005 - **Detection:** `pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-005 --project .` ## Description This rule detects calls to `Crypto.Cipher.DES.new()` from the PyCryptodome library. DES (Data Encryption Standard) uses a 56-bit key. In 1999, the EFF's Deep Crack machine broke a DES-encrypted challenge in 22 hours. Modern GPU clusters can exhaust the entire DES keyspace in minutes. The algorithm is completely broken for confidentiality purposes. DES was standardized in 1977 and was already under brute-force pressure by the late 1990s. FIPS 46-3 (the DES standard) was formally withdrawn in 2005. NIST SP 800-131A disallows DES for all uses. The 64-bit block size also exposes DES to the Sweet32 birthday attack for any key, and its eight S-boxes have been studied extensively with differential and linear cryptanalysis. The rule matches `PyCryptoCipherDES.method("new")`. There is no safe way to use single DES. See PYTHON-CRYPTO-SEC-005a for the companion rule covering 3DES. ## Vulnerable Code ```python from Crypto.Cipher import DES des = DES.new(b'8byteky', DES.MODE_CBC, b'\x00' * 8) ``` ## Secure Code ```python from Crypto.Cipher import AES import os # SECURE: AES-GCM provides authenticated encryption key = os.urandom(32) # 256-bit key cipher = AES.new(key, AES.MODE_GCM) ciphertext, tag = cipher.encrypt_and_digest(b"sensitive data") ``` ## Detection Rule (Python SDK) ```python from rules.python_decorators import python_rule from codepathfinder import calls, flows, QueryType from codepathfinder.presets import PropagationPresets class PyCryptoCipherDES(QueryType): fqns = ["Crypto.Cipher.DES", "Cryptodome.Cipher.DES"] @python_rule( id="PYTHON-CRYPTO-SEC-005", name="Insecure DES Cipher", severity="HIGH", category="cryptography", cwe="CWE-327", tags="python,pycryptodome,des,weak-cipher,CWE-327", message="DES has a 56-bit key, easily brute-forced. Use AES instead.", owasp="A02:2021", ) def detect_des_cipher(): """Detects DES cipher in PyCryptodome.""" return PyCryptoCipherDES.method("new") ``` ## How to Fix - Replace Crypto.Cipher.DES with AES in GCM mode (AES.new(key, AES.MODE_GCM)) for authenticated encryption - Use ChaCha20-Poly1305 via the cryptography library as an alternative when AES hardware acceleration is unavailable - Treat all data previously encrypted with DES as potentially compromised and assess exposure accordingly - Generate 256-bit (32-byte) AES keys using os.urandom(32) or a proper KDF like PBKDF2/scrypt/Argon2 - Audit all key derivation and storage code when migrating from DES -- a DES key is 8 bytes; an AES-256 key is 32 bytes ## Security Implications - **56-Bit Key Brute-Forceable in Under 24 Hours:** DES's 56-bit key space (2^56 = ~72 quadrillion keys) was publicly brute-forced in 22 hours in 1999 using the EFF DES Cracker costing $250,000. Modern commodity GPU clusters perform this attack in minutes. Any DES-encrypted data should be considered compromised if an attacker had access to the ciphertext. - **FIPS 46-3 Formally Withdrawn in 2005:** The DES standard FIPS 46-3 was withdrawn by NIST in 2005 and is no longer approved for any federal information processing use. Systems that encrypt sensitive data with DES are automatically non-compliant with FISMA, FedRAMP, HIPAA Security Rule technical safeguards, and PCI DSS. - **64-Bit Block Size Adds Sweet32 Exposure:** Beyond the key length problem, DES uses a 64-bit block size. Under sustained encryption with the same key, block collisions become probable after ~32GB -- enabling birthday-bound plaintext recovery attacks. A single encryption session is unlikely to reach this limit, but long-running services that reuse DES keys accumulate ciphertext toward this threshold. - **No Authentication -- Vulnerable to Chosen-Ciphertext Attacks:** DES in any mode available via PyCryptodome (CBC, CFB, OFB, ECB) provides no integrity or authentication. CBC mode DES without a MAC is vulnerable to padding oracle and chosen-ciphertext attacks. ECB mode leaks plaintext patterns directly. Neither mode is safe for any use case. ## FAQ **Q: We only use DES internally and our data has low sensitivity. Do we need to fix this?** Yes. Internal systems are common lateral movement targets. An attacker who compromises any internal host can collect DES-encrypted data and brute-force it in minutes. Even if the data itself is low-sensitivity today, using DES normalizes weak cryptography practices and creates technical debt. Compliance frameworks like PCI DSS and HIPAA apply to system configurations regardless of the perceived sensitivity of specific data sets. **Q: How fast can modern hardware break a DES key?** The 1999 EFF DES Cracker cost $250,000 and broke DES in 22 hours. A 2023 GPU cluster costing a few thousand dollars can exhaust the 2^56 DES keyspace in under an hour. Cloud computing makes this accessible to any attacker for under $100. DES provides no meaningful confidentiality against any motivated adversary with commodity resources. **Q: We use DES only to interoperate with a legacy mainframe system. What should we do?** Interoperability constraints are the most common reason for legacy cipher usage. The correct path is to negotiate a protocol upgrade with the mainframe team -- most modern mainframe systems support AES. As a temporary measure, minimize the sensitivity of data exchanged over the DES channel and document the risk formally. Add a migration deadline and track it. Do not let the temporary workaround become permanent. **Q: Why does PyCryptodome still include DES if it is broken?** PyCryptodome includes DES for interoperability with legacy systems and protocols that require decryption of existing data. The library cannot remove DES without breaking valid use cases like reading old encrypted files or communicating with systems that have not been updated. Inclusion in the library is a backward compatibility decision, not an endorsement of DES for new encryption. **Q: What is the difference between this rule and PYTHON-CRYPTO-SEC-005a?** PYTHON-CRYPTO-SEC-005 flags single DES (Crypto.Cipher.DES), which uses one 56-bit key. PYTHON-CRYPTO-SEC-005a flags Triple DES (Crypto.Cipher.DES3), which applies DES three times with two or three different keys. 3DES is stronger than single DES but still has the 64-bit block size (Sweet32) and was deprecated by NIST after 2023. Both rules recommend AES-256-GCM as the replacement. **Q: How do compliance auditors treat DES findings during PCI DSS assessments?** PCI DSS QSAs treat any use of DES as an automatic failure under Requirement 4.2.1, which mandates strong cryptography. DES findings during a PCI assessment will block certification until remediated. FedRAMP assessors classify DES usage as a HIGH finding under NIST SP 800-53 SC-13. Running this rule in CI provides evidence that DES is not present in the codebase for audit purposes. ## References - [CWE-327: Use of a Broken or Risky Cryptographic Algorithm](https://cwe.mitre.org/data/definitions/327.html) - [EFF DES Cracker -- Breaking DES in 22 hours (1999)](https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/) - [FIPS 46-3: DES Standard (Withdrawn 2005)](https://csrc.nist.gov/publications/detail/fips/46/3/final) - [NIST SP 800-131A Rev 2: Transitioning the Use of Cryptographic Algorithms](https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final) - [OWASP Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/) --- Source: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-005 Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis