[RSPEC-2278] Neither DES (Data Encryption Standard) nor DESede (3DES) should be used - SonarSource

XML

Word

Printable

Details

Type: Vulnerability Detection
Status: Superseded
Resolution: Unresolved
Labels:
- cert
- cwe
- owasp-a6
- sans-top25-porous

Message:
Use the recommended AES (Advanced Encryption Standard) instead.
Default Severity:
Blocker
Impact:
High
Likelihood:
High
Covered Languages:

C#, Java, PHP, PL/SQL, Swift
Remediation Function:
Constant/Issue
Constant Cost:
20min
Analysis Scope:

Main Sources
Common Rule:

Yes

CERT:
MSC61-J.
CWE:
CWE-326, CWE-327
OWASP:
A6
SANS Top 25:
Porous Defenses

Fortify:
weak_encryption

Description

According to the US National Institute of Standards and Technology (NIST), the Data Encryption Standard (DES) is no longer considered secure:

Adopted in 1977 for federal agencies to use in protecting sensitive, unclassified information, the DES is being withdrawn because it no longer provides the security that is needed to protect federal government information.
Federal agencies are encouraged to use the Advanced Encryption Standard, a faster and stronger algorithm approved as FIPS 197 in 2001.

For similar reasons, RC2 should also be avoided.

Noncompliant Code Example

Cipher c = Cipher.getInstance("DESede/ECB/PKCS5Padding");

Compliant Solution

Cipher c = Cipher.getInstance("AES/GCM/NoPadding");

See

OWASP Top 10 2017 Category A6 - Security Misconfiguration
MITRE, CWE-326 - Inadequate Encryption Strength
MITRE, CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
CERT, MSC61-J. - Do not use insecure or weak cryptographic algorithms
SANS Top 25 - Porous Defenses
Derived from FindSecBugs rule DES / DESede Unsafe

Attachments

Issue Links

is implemented by

SONARSWIFT-381 Rule S2278: Neither DES (Data Encryption Standard) nor DESede (3DES) should be used

Closed

CPP-2022 Rule S2278: Neither DES (Data Encryption Standard) nor DESede (3DES) should be used

Closed

SONARPHP-794 Rule S2278: Neither DES (Data Encryption Standard) nor DESede (3DES) should be used

Closed

SONARPLSQL-699 Rule S2278: Neither DES (Data Encryption Standard) nor DESede (3DES) should be used

Closed

SONARJAVA-1210 S2278 should react to properties default value

Closed

is related to

CPP-2320 Rule S5547: Cipher algorithms should be robust

Closed

SONARJAVA-3737 Improve rules relying on String literals to support identifier from a final or effectively final variable.

Closed

is superceded by

RSPEC-5547 Cipher algorithms should be robust

Active

relates to

RSPEC-4787 Encrypting data is security-sensitive

Deprecated

links to

is implemented by sonar-csharp/issues/150

is implemented by SonarJS/issues/996

(2 is related to, 1 is superceded by, 1 relates to, 2 links to)

Options

Progress

Sub-Tasks

1.	C#	RSPEC-3134	Deprecated	Unassigned
2.	PHP	RSPEC-4689	Deprecated	Unassigned
3.	Python	RSPEC-4690	Active	Unassigned
4.	C-Family	RSPEC-4694	Active	Unassigned
5.	Swift	RSPEC-4800	Active	Unassigned
6.	PL/SQL	RSPEC-4953	Active	Unassigned

Activity

People

Assignee:: Unassigned

Reporter:: Freddy Mallet (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 10/Dec/14 8:52 PM

Updated:: 18/Mar/21 11:37 AM