# PYTHON-CRYPTO-SEC-005a: Triple DES (3DES) Cipher Usage via PyCryptodome > **Severity:** MEDIUM | **CWE:** CWE-327 | **OWASP:** A02:2021 - **Language:** Python - **Category:** Cryptography - **URL:** https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-005a - **Detection:** `pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-005a --project .` ## Description This rule detects calls to `Crypto.Cipher.DES3.new()` from the PyCryptodome library. Triple DES (3DES, TDEA) applies the DES algorithm three times with either two or three independent keys (112-bit or 168-bit effective key strength). While 3DES is significantly stronger than single DES against brute-force attacks, it retains the 64-bit block size that makes it vulnerable to the Sweet32 birthday attack. NIST formally deprecated 3DES (TDEA) for new applications after December 31, 2023, as documented in NIST SP 800-131A Rev 2 and NIST SP 800-67 Rev 2. 3DES is also approximately three times slower than single DES and orders of magnitude slower than AES with hardware acceleration. Systems using 3DES in long-lived TLS sessions or bulk data encryption are exposed to Sweet32: after ~32GB under the same key, block collisions enable partial plaintext recovery. The rule matches `PyCryptoCipherDES3.method("new")`. The companion rule PYTHON-CRYPTO-SEC-005 covers single DES. ## Vulnerable Code ```python from Crypto.Cipher import DES3 des3 = DES3.new(b'sixteen_byte_key_24b', DES3.MODE_CBC, b'\x00' * 8) ``` ## Secure Code ```python from Crypto.Cipher import AES import os # SECURE: AES-GCM provides authenticated encryption key = os.urandom(32) # 256-bit key cipher = AES.new(key, AES.MODE_GCM) ciphertext, tag = cipher.encrypt_and_digest(b"sensitive data") ``` ## Detection Rule (Python SDK) ```python from rules.python_decorators import python_rule from codepathfinder import calls, flows, QueryType from codepathfinder.presets import PropagationPresets class PyCryptoCipherDES(QueryType): fqns = ["Crypto.Cipher.DES", "Cryptodome.Cipher.DES"] class PyCryptoCipherDES3(QueryType): fqns = ["Crypto.Cipher.DES3", "Cryptodome.Cipher.DES3"] @python_rule( id="PYTHON-CRYPTO-SEC-005a", name="Insecure Triple DES Cipher", severity="MEDIUM", category="cryptography", cwe="CWE-327", tags="python,pycryptodome,3des,triple-des,weak-cipher,CWE-327", message="Triple DES (3DES) is deprecated. Use AES instead.", owasp="A02:2021", ) def detect_des3_cipher(): """Detects Triple DES cipher in PyCryptodome.""" return PyCryptoCipherDES3.method("new") ``` ## How to Fix - Replace Crypto.Cipher.DES3 with AES in GCM mode (AES.new(key, AES.MODE_GCM)) for authenticated encryption - Use ChaCha20-Poly1305 as an alternative if AES hardware acceleration is not available in the deployment environment - Complete migration from 3DES before the NIST SP 800-131A disallowance deadline for existing applications - Ensure any TLS configuration disables SWEET32-vulnerable cipher suites (TLS_RSA_WITH_3DES_EDE_CBC_SHA) in parallel - Re-encrypt data stored under 3DES with AES-256-GCM and rotate all 3DES key material after migration ## Security Implications - **64-Bit Block Size -- Sweet32 Birthday Attack:** 3DES inherits DES's 8-byte block size. After approximately 32GB of ciphertext under the same key, the probability of a block collision exceeds 50%. In CBC mode, an attacker who observes a collision can XOR adjacent ciphertext blocks to recover a plaintext segment. HTTPS servers processing significant traffic with 3DES cipher suites were practically exploited via Sweet32 in 2016. - **NIST Deprecated 3DES After December 31, 2023:** NIST SP 800-131A Rev 2 and NIST SP 800-67 Rev 2 formally disallow 3DES for new applications after 2023 and for existing applications after 2030. Systems subject to FedRAMP, FISMA, or NIST-aligned frameworks must migrate to AES. Using 3DES in new code written after 2023 is an immediate compliance violation. - **Significantly Slower Than AES Without Any Compensating Benefit:** 3DES performs three full DES operations per block. On hardware with AES-NI instruction support -- which is essentially all x86 CPUs since ~2010 -- AES-256-GCM is 5-10x faster than 3DES. For high-throughput services, 3DES imposes a measurable performance penalty with no security advantage over AES. - **No Authenticated Encryption -- MAC-then-Encrypt Vulnerabilities:** PyCryptodome's DES3 in CBC or other classic modes provides no authentication. Applications that wrap 3DES with a separate MAC often implement the MAC incorrectly (encrypt-then-MAC vs MAC-then-encrypt ordering). AES-GCM provides both confidentiality and authentication atomically, eliminating this error class. ## FAQ **Q: 3DES uses 168-bit keys. Why is it rated MEDIUM severity rather than HIGH?** The MEDIUM severity reflects that 3DES is not immediately brute-forceable the way single DES is. Its 168-bit (or 112-bit effective) key space provides reasonable key strength. The primary risks are the 64-bit block size (Sweet32) and the NIST deprecation deadline. These are serious concerns that require migration, but they represent a different risk profile than single DES, where the key itself can be exhausted in minutes. **Q: NIST says 3DES is disallowed for new applications after 2023 but existing applications have until 2030. Are we safe?** The 2030 deadline for existing applications is a transition period, not a security guarantee. Sweet32 applies today regardless of the NIST timeline, and any TLS session using 3DES cipher suites has been practically exploitable since 2016. Additionally, writing new code with 3DES in 2024 or later is explicitly disallowed by NIST SP 800-131A Rev 2. The 2030 date applies only to already- deployed systems, not new development. **Q: We use 3DES for interoperability with a payment processing system that requires it. What should we do?** Payment network interoperability (particularly older HSM-based PIN encryption using TDES) is the most common legitimate use of 3DES. In this context, push for protocol negotiation of AES with your payment processor -- major payment networks have published timelines for AES migration. As a transitional measure, limit the volume of data encrypted per key, ensure keys rotate before the 32GB Sweet32 threshold, and document the compliance exception formally. **Q: How does Sweet32 practically affect a 3DES-encrypted HTTPS server?** An attacker who can inject JavaScript into the browser (e.g., via a third-party ad or XSS on another tab) can cause the browser to make thousands of requests per second carrying a known fragment (such as a CSRF token). After approximately 32GB of traffic -- achievable within hours on a busy server -- a block collision reveals the session cookie. This attack was demonstrated against real servers in 2016. All major browsers subsequently disabled 3DES cipher suites. **Q: How do I identify all 3DES key material in our system for rotation?** Search for DES3 key references in configuration files, secrets managers, HSMs, and database key tables. DES3 keys are 16 bytes (two-key 3DES) or 24 bytes (three-key 3DES). Document all locations before starting migration. Replace each key with a 32-byte AES-256 key, re-encrypt the associated data under AES-GCM, and then securely destroy the 3DES key material. ## References - [CWE-327: Use of a Broken or Risky Cryptographic Algorithm](https://cwe.mitre.org/data/definitions/327.html) - [Sweet32: Birthday attacks on 64-bit block ciphers](https://sweet32.info/) - [NIST SP 800-131A Rev 2: Transitioning the Use of Cryptographic Algorithms](https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final) - [NIST SP 800-67 Rev 2: Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher](https://csrc.nist.gov/publications/detail/sp/800-67/rev-2/final) - [OWASP Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/) --- Source: https://codepathfinder.dev/registry/python/cryptography/PYTHON-CRYPTO-SEC-005a Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis