Use of a Broken or Risky Cryptographic Algorithm in golang.org/x/crypto Package
Using weak ciphers for cryptographic algorithms can pose significant security risks, and it's generally advised to avoid them in favor of stronger, more secure algorithms. Here's some guidance that advises against using weak ciphers like Blowfish, CAST5, TEA/XTEA, and Twofish:
Blowfish: Developed in 1993, Blowfish is a block cipher known for its simplicity. However, its small block size of 64 bits makes it susceptible to birthday attacks in modern contexts. This vulnerability is significant when encrypting large amounts of data, which is common in current applications.
CAST5 (CAST-128): CAST5, a symmetric encryption algorithm, suffers from similar issues as Blowfish due to its 64-bit block size. While it was considered secure for its time, modern applications typically require algorithms with larger block sizes for enhanced security.
TEA/XTEA: The Tiny Encryption Algorithm (TEA) and its successor, eXtended TEA (XTEA), are lightweight block ciphers. They are notable for their simplicity and ease of implementation but have known vulnerabilities, including susceptibility to differential cryptanalysis. These weaknesses make them less suitable for applications where strong security is a priority.
Twofish: As a finalist in the Advanced Encryption Standard (AES) competition, Twofish is a respected algorithm. However, it was not selected as the standard, and over time, AES has become the more tested and trusted choice in most cryptographic applications.
In summary, there is a consensus among reputable standards organizations, industry experts, and security professionals that weak ciphers like Blowfish, CAST5, TEA/XTEA, and Twofish should be avoided due to their known vulnerabilities and weaknesses. Instead, it is advisable to use stronger, more secure cryptographic algorithms and adhere to industry best practices and regulatory requirements for encryption and security.
Examples
package main
import (
"log"
"golang.org/x/crypto/twofish"
)
func main() {
key := []byte("examplekey123456")
_, err := twofish.NewCipher(key)
if err != nil {
log.Fatalf("Failed to create cipher: %v", err)
}
}
Remediation
It is advisable to use stronger, more secure cryptographic algorithms such as
aes.
package main
import (
"log"
"crypto/aes"
)
func main() {
key := []byte("examplekey123456")
_, err := aes.NewCipher(key)
if err != nil {
log.Fatalf("Failed to create cipher: %v", err)
}
}
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (GO502) or
rule category name (use_of_a_broken_or_risky_cryptographic_algorithm).
- Using rule ID
- Using category name
package main
import (
"log"
"golang.org/x/crypto/twofish"
)
func main() {
key := []byte("examplekey123456")
// suppress: GO502
_, err := twofish.NewCipher(key)
if err != nil {
log.Fatalf("Failed to create cipher: %v", err)
}
}
package main
import (
"log"
"golang.org/x/crypto/twofish"
)
func main() {
key := []byte("examplekey123456")
// suppress: use_of_a_broken_or_risky_cryptographic_algorithm
_, err := twofish.NewCipher(key)
if err != nil {
log.Fatalf("Failed to create cipher: %v", err)
}
}
See also
- blowfish package - golang.org_x_crypto_twofish - Go Packages
- cast5 package - golang.org_x_crypto_twofish - Go Packages
- tea package - golang.org_x_crypto_twofish - Go Packages
- twofish package - golang.org_x_crypto_twofish - Go Packages
- xtea package - golang.org_x_crypto_twofish - Go Packages
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm