Rule Information
Tags
pythonpycryptodome3destriple-desdes3sweet32nist-deprecated64-bit-blockCWE-327OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-005a --project .1
2
3
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
About This Rule
Understanding the vulnerability and how it is detected
This rule detects calls to `Crypto.Cipher.DES3.new()` from the PyCryptodome library. Triple DES (3DES, TDEA) applies the DES algorithm three times with either two or three independent keys (112-bit or 168-bit effective key strength). While 3DES is significantly stronger than single DES against brute-force attacks, it retains the 64-bit block size that makes it vulnerable to the Sweet32 birthday attack.
NIST formally deprecated 3DES (TDEA) for new applications after December 31, 2023, as documented in NIST SP 800-131A Rev 2 and NIST SP 800-67 Rev 2. 3DES is also approximately three times slower than single DES and orders of magnitude slower than AES with hardware acceleration. Systems using 3DES in long-lived TLS sessions or bulk data encryption are exposed to Sweet32: after ~32GB under the same key, block collisions enable partial plaintext recovery.
The rule matches `PyCryptoCipherDES3.method("new")`. The companion rule PYTHON-CRYPTO-SEC-005 covers single DES.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
64-Bit Block Size -- Sweet32 Birthday Attack
3DES inherits DES's 8-byte block size. After approximately 32GB of ciphertext under the same key, the probability of a block collision exceeds 50%. In CBC mode, an attacker who observes a collision can XOR adjacent ciphertext blocks to recover a plaintext segment. HTTPS servers processing significant traffic with 3DES cipher suites were practically exploited via Sweet32 in 2016.
2
NIST Deprecated 3DES After December 31, 2023
NIST SP 800-131A Rev 2 and NIST SP 800-67 Rev 2 formally disallow 3DES for new applications after 2023 and for existing applications after 2030. Systems subject to FedRAMP, FISMA, or NIST-aligned frameworks must migrate to AES. Using 3DES in new code written after 2023 is an immediate compliance violation.
3
Significantly Slower Than AES Without Any Compensating Benefit
3DES performs three full DES operations per block. On hardware with AES-NI instruction support -- which is essentially all x86 CPUs since ~2010 -- AES-256-GCM is 5-10x faster than 3DES. For high-throughput services, 3DES imposes a measurable performance penalty with no security advantage over AES.
4
No Authenticated Encryption -- MAC-then-Encrypt Vulnerabilities
PyCryptodome's DES3 in CBC or other classic modes provides no authentication. Applications that wrap 3DES with a separate MAC often implement the MAC incorrectly (encrypt-then-MAC vs MAC-then-encrypt ordering). AES-GCM provides both confidentiality and authentication atomically, eliminating this error class.
How to Fix
Recommended remediation steps
- 1Replace Crypto.Cipher.DES3 with AES in GCM mode (AES.new(key, AES.MODE_GCM)) for authenticated encryption
- 2Use ChaCha20-Poly1305 as an alternative if AES hardware acceleration is not available in the deployment environment
- 3Complete migration from 3DES before the NIST SP 800-131A disallowance deadline for existing applications
- 4Ensure any TLS configuration disables SWEET32-vulnerable cipher suites (TLS_RSA_WITH_3DES_EDE_CBC_SHA) in parallel
- 5Re-encrypt data stored under 3DES with AES-256-GCM and rotate all 3DES key material after migration
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule matches calls to `Crypto.Cipher.DES3.new()` in PyCryptodome via the QueryType pattern `PyCryptoCipherDES3.method("new")`. It fires on any Triple DES cipher object instantiation regardless of key size (16 or 24 bytes) or cipher mode. The 64-bit block size vulnerability and NIST deprecation apply to all 3DES configurations. The companion rule PYTHON-CRYPTO-SEC-005 covers single DES.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
OWASP Top 10
A02:2021 - Cryptographic Failures
PCI DSS v4.0
Requirement 4.2.1 -- use strong cryptography for data protection
NIST SP 800-131A
Transitioning to approved algorithms -- RC4/DES/3DES disallowed
NIST SP 800-53
SC-13: Cryptographic Protection
NIST SP 800-67 Rev 2
3DES deprecated for new applications after 2023, disallowed for all after 2030
References
External resources and documentation
CWE-327: Use of a Broken or Risky Cryptographic AlgorithmSweet32: Birthday attacks on 64-bit block ciphersNIST SP 800-131A Rev 2: Transitioning the Use of Cryptographic AlgorithmsNIST SP 800-67 Rev 2: Recommendation for the Triple Data Encryption Algorithm (TDEA) Block CipherOWASP Cryptographic Failures
Similar Rules
Explore related security rules for Python
HIGH
DES Cipher Usage via PyCryptodome
Detects use of single DES through PyCryptodome, which has only a 56-bit key that has been publicly brute-forceable since 1999 and is disallowed by FIPS 46-3 (withdrawn 2005).
HIGH
Blowfish Cipher Usage via cryptography Library
Detects use of the Blowfish cipher through the cryptography library, which has a 64-bit block size making it vulnerable to Sweet32 birthday attacks after approximately 32GB of data.
HIGH
Blowfish Cipher Usage via PyCryptodome
Detects use of the Blowfish cipher through PyCryptodome, which has a 64-bit block size making it vulnerable to Sweet32 birthday attacks after approximately 32GB of data.
Frequently Asked Questions
Common questions about Triple DES (3DES) Cipher Usage via PyCryptodome
The MEDIUM severity reflects that 3DES is not immediately brute-forceable the
way single DES is. Its 168-bit (or 112-bit effective) key space provides
reasonable key strength. The primary risks are the 64-bit block size (Sweet32)
and the NIST deprecation deadline. These are serious concerns that require
migration, but they represent a different risk profile than single DES, where
the key itself can be exhausted in minutes.
The 2030 deadline for existing applications is a transition period, not a
security guarantee. Sweet32 applies today regardless of the NIST timeline, and
any TLS session using 3DES cipher suites has been practically exploitable since
2016. Additionally, writing new code with 3DES in 2024 or later is explicitly
disallowed by NIST SP 800-131A Rev 2. The 2030 date applies only to already-
deployed systems, not new development.
Payment network interoperability (particularly older HSM-based PIN encryption
using TDES) is the most common legitimate use of 3DES. In this context, push
for protocol negotiation of AES with your payment processor -- major payment
networks have published timelines for AES migration. As a transitional measure,
limit the volume of data encrypted per key, ensure keys rotate before the 32GB
Sweet32 threshold, and document the compliance exception formally.
An attacker who can inject JavaScript into the browser (e.g., via a third-party
ad or XSS on another tab) can cause the browser to make thousands of requests
per second carrying a known fragment (such as a CSRF token). After approximately
32GB of traffic -- achievable within hours on a busy server -- a block collision
reveals the session cookie. This attack was demonstrated against real servers
in 2016. All major browsers subsequently disabled 3DES cipher suites.
Search for DES3 key references in configuration files, secrets managers, HSMs,
and database key tables. DES3 keys are 16 bytes (two-key 3DES) or 24 bytes
(three-key 3DES). Document all locations before starting migration. Replace each
key with a 32-byte AES-256 key, re-encrypt the associated data under AES-GCM,
and then securely destroy the 3DES key material.
New feature
Get these findings posted directly on your GitHub pull requests
The Triple DES (3DES) Cipher Usage via PyCryptodome rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.