Insecure cipher algorithm

ID

c.cryptography.insecure_cipher

Severity

critical

Resource

Cryptography

Language

C / C++

Description

Use of insecure cipher algorithm detected. DES was withdrawn from NIST in 2005, and RC2/RC4 are vulnerable to known attacks. Consider using libsodium crypto_secretbox_easy for authenticated encryption, or OpenSSL AES ciphers if FIPS compliance is required.

Rationale

Use of insecure cipher algorithm detected. DES was withdrawn from NIST in 2005, and RC2/RC4 are vulnerable to known attacks. Consider using libsodium crypto_secretbox_easy for authenticated encryption, or OpenSSL AES ciphers if FIPS compliance is required.

The following code illustrates a vulnerable pattern detected by this rule:

void test_openssl_evp(void) {
  // VULNERABLE: Insecure cipher algorithm
  EVP_des_cbc(), EVP_des_ecb(), EVP_des_cfb(), EVP_des_ofb(), EVP_desx_cbc();
  // VULNERABLE: Insecure cipher algorithm
  EVP_rc2_40_cbc(), EVP_rc2_64_cbc(), EVP_rc4_40();
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References