Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2278

Neither DES (Data Encryption Standard) nor DESede (3DES) should be used

    Details

    • Message:
      Use the recommended AES (Advanced Encryption Standard) instead.
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C, C++, JavaScript
    • Covered Languages:
      C#, Java, PHP, PL/SQL, Swift
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      20min
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CERT:
      MSC61-J.
    • CWE:
      CWE-326, CWE-327
    • OWASP:
      A6
    • SANS Top 25:
      Porous Defenses
    • FindSecBugs:
      DES_USAGE, TDES_USAGE, CIPHER_INTEGRITY
    • Fortify:
      weak_encryption

      Description

      According to the US National Institute of Standards and Technology (NIST), the Data Encryption Standard (DES) is no longer considered secure:

      Adopted in 1977 for federal agencies to use in protecting sensitive, unclassified information, the DES is being withdrawn because it no longer provides the security that is needed to protect federal government information.
      Federal agencies are encouraged to use the Advanced Encryption Standard, a faster and stronger algorithm approved as FIPS 197 in 2001.

      For similar reasons, RC2 should also be avoided.

      Noncompliant Code Example

      Cipher c = Cipher.getInstance("DESede/ECB/PKCS5Padding");
      

      Compliant Solution

      Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
      

      See

        Attachments

          Issue Links

          1.
          C# RSPEC-3134 Language-Specification Active Unassigned
          2.
          PHP RSPEC-4689 Language-Specification Active Unassigned
          3.
          Python RSPEC-4690 Language-Specification Active Unassigned
          4.
          C-Family RSPEC-4694 Language-Specification Active Unassigned
          5.
          Swift RSPEC-4800 Language-Specification Active Unassigned
          6.
          PL/SQL RSPEC-4953 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                freddy.mallet Freddy Mallet (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: