This vulnerability exposes encrypted data to a number of attacks whose goal is to recover the plaintext.

Why is this an issue?

Encryption algorithms are essential for protecting sensitive information and ensuring secure communications in a variety of domains. They are used for several important reasons:

• Confidentiality, privacy, and intellectual property protection
• Security during transmission or on storage devices
• Data integrity, general trust, and authentication

When selecting encryption algorithms, tools, or combinations, you should also consider two things:

1. No encryption is unbreakable.
2. The strength of an encryption algorithm is usually measured by the effort required to crack it within a reasonable time frame.

For these reasons, as soon as cryptography is included in a project, it is important to choose encryption algorithms that are considered strong and secure by the cryptography community.

For AES, the weakest modes are CBC (Cipher Block Chaining) and ECB

(Electronic Codebook), as they are either vulnerable to padding oracles or do not provide authentication mechanisms.

And for RSA, the weakest algorithms are either using it without padding or using the PKCS1v1.5 padding scheme.

What is the potential impact?

The cleartext of an encrypted message might be recoverable. Additionally, it might be possible to modify the cleartext of an encrypted message.

Below are some real-world scenarios that illustrate possible impacts of an attacker exploiting the vulnerability.

Theft of sensitive data

The encrypted message might contain data that is considered sensitive and should not be known to third parties.

By using a weak algorithm the likelihood that an attacker might be able to recover the cleartext drastically increases.

Additional attack surface

By modifying the cleartext of the encrypted message it might be possible for an attacker to trigger other vulnerabilities in the code. Encrypted values are often considered trusted, since under normal circumstances it would not be possible for a third party to modify them.

How to fix it in PyCrypto

Code examples

Noncompliant code example

Example with a symmetric cipher, AES:

from Crypto.Cipher import AES

AES.new(key, AES.MODE_ECB) # Noncompliant

Example with an asymmetric cipher, RSA:

from Crypto.Cipher import PKCS1_v1_5

PKCS1_v1_5.new(key) # Noncompliant

Compliant solution

Since PyCrypto is not supported anymore, another library should be used. In the current context, Cryptodome uses a similar API.

For the AES symmetric cipher, use the GCM mode:

from Crypto.Cipher import AES

AES.new(key, AES.MODE_GCM)

For the RSA asymmetric cipher, use the Optimal Asymmetric Encryption Padding (OAEP):

from Crypto.Cipher import PKCS1_OAEP

PKCS1_OAEP.new(key)

How does this work?

As a rule of thumb, use the cryptographic algorithms and mechanisms that are considered strong by the cryptographic community.

Appropriate choices are currently the following.

For AES: Use Galois/Counter mode (GCM)

GCM mode combines encryption with authentication and integrity checks using a cryptographic hash function and provides both confidentiality and authenticity of data.

Other similar modes are:

• CCM: Counter with CBC-MAC
• CWC: Cipher Block Chaining with Message Authentication Code
• EAX: Encrypt-and-Authenticate
• IAPM: Integer Authenticated Parallelizable Mode
• OCB: Offset Codebook Mode

It is also possible to use AES-CBC with HMAC for integrity checks. However, it

is considered more straightforward to use AES-GCM directly instead.

For RSA: use the OAEP scheme

The Optimal Asymmetric Encryption Padding scheme (OAEP) adds randomness and a secure hash function that strengthens the regular inner workings of RSA.

How to fix it in pyca

Code examples

Noncompliant code example

Example with a symmetric cipher, AES:

from cryptography.hazmat.primitives.ciphers import (
    Cipher,
    algorithms,
    modes,
)
from cryptography.hazmat.backends import default_backend

Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend()) # Noncompliant

Example with an asymmetric cipher, RSA:

from cryptography.hazmat.primitives.asymmetric import (
    rsa,
    padding,
)

private_key = rsa.generate_private_key(
  public_exponent=65537,
  key_size=2048,
  backend=default_backend()
)

public_key = private_key.public_key()

public_key.encrypt(
  message,
  padding.PKCS1v15() # Noncompliant
)

Compliant solution

For the AES symmetric cipher, use the GCM mode:

from cryptography.hazmat.primitives.ciphers import (
    Cipher,
    algorithms,
    modes,
)
from cryptography.hazmat.backends import default_backend

Cipher(algorithms.AES(key), modes.GCM(iv), backend=default_backend())

from cryptography.hazmat.primitives.asymmetric import (
    rsa,
    padding,
)
from cryptography.hazmat.primitives import hashes

private_key = rsa.generate_private_key(
  public_exponent=65537,
  key_size=2048,
  backend=default_backend()
)

public_key = private_key.public_key()

public_key.encrypt(
  message,
  padding.OAEP(
    mgf=padding.MGF1(algorithm=hashes.SHA256()),
    algorithm=hashes.SHA256(),
    label=None
  )
)

How does this work?

As a rule of thumb, use the cryptographic algorithms and mechanisms that are considered strong by the cryptographic community.

Appropriate choices are currently the following.

For AES: Use Galois/Counter mode (GCM)

GCM mode combines encryption with authentication and integrity checks using a cryptographic hash function and provides both confidentiality and authenticity of data.

Other similar modes are:

• CCM: Counter with CBC-MAC
• CWC: Cipher Block Chaining with Message Authentication Code
• EAX: Encrypt-and-Authenticate
• IAPM: Integer Authenticated Parallelizable Mode
• OCB: Offset Codebook Mode

It is also possible to use AES-CBC with HMAC for integrity checks. However, it

is considered more straightforward to use AES-GCM directly instead.

For RSA: use the OAEP scheme

The Optimal Asymmetric Encryption Padding scheme (OAEP) adds randomness and a secure hash function that strengthens the regular inner workings of RSA.

How to fix it in Cryptodome

Code examples

Noncompliant code example

Example with a symmetric cipher, AES:

from Crypto.Cipher import AES     # pycryptodome
from Cryptodome.Cipher import AES # pycryptodomex

AES.new(key, AES.MODE_ECB)  # Noncompliant

Example with an asymmetric cipher, RSA:

from Crypto.Cipher import PKCS1_V1_5     # pycryptodome
from Cryptodome.Cipher import PKCS1_V1_5 # pycryptodomex

PKCS1_v1_5.new(key) # Noncompliant

Compliant solution

For the AES symmetric cipher, use the GCM mode:

from Crypto.Cipher import AES     # pycryptodome
from Cryptodome.Cipher import AES # pycryptodomex

AES.new(key, AES.MODE_GCM)

For the RSA asymmetric cipher, use the Optimal Asymmetric Encryption Padding (OAEP):

from Crypto.Cipher import PKCS1_V1_5     # pycryptodome
from Cryptodome.Cipher import PKCS1_V1_5 # pycryptodomex

PKCS1_OAEP.new(key)

How does this work?

As a rule of thumb, use the cryptographic algorithms and mechanisms that are considered strong by the cryptographic community.

Appropriate choices are currently the following.

For AES: Use Galois/Counter mode (GCM)

GCM mode combines encryption with authentication and integrity checks using a cryptographic hash function and provides both confidentiality and authenticity of data.

Other similar modes are:

• CCM: Counter with CBC-MAC
• CWC: Cipher Block Chaining with Message Authentication Code
• EAX: Encrypt-and-Authenticate
• IAPM: Integer Authenticated Parallelizable Mode
• OCB: Offset Codebook Mode

It is also possible to use AES-CBC with HMAC for integrity checks. However, it

is considered more straightforward to use AES-GCM directly instead.

For RSA: use the OAEP scheme

The Optimal Asymmetric Encryption Padding scheme (OAEP) adds randomness and a secure hash function that strengthens the regular inner workings of RSA.

How to fix it in pyDes

Code examples

Noncompliant code example

import pyDes

pyDes.des(key) # Noncompliant

Compliant solution

Since pyDes only provides DES, it is recommended to use another library like pyca.

from cryptography.hazmat.primitives.ciphers import (
    Cipher,
    algorithms,
    modes,
)
from cryptography.hazmat.backends import default_backend

Cipher(algorithms.AES(key), modes.GCM(iv), backend=default_backend())

How does this work?

As a rule of thumb, use the cryptographic algorithms and mechanisms that are considered strong by the cryptographic community.

Appropriate choices are currently the following.

For AES: Use Galois/Counter mode (GCM)

GCM mode combines encryption with authentication and integrity checks using a cryptographic hash function and provides both confidentiality and authenticity of data.

Other similar modes are:

• CCM: Counter with CBC-MAC
• CWC: Cipher Block Chaining with Message Authentication Code
• EAX: Encrypt-and-Authenticate
• IAPM: Integer Authenticated Parallelizable Mode
• OCB: Offset Codebook Mode

It is also possible to use AES-CBC with HMAC for integrity checks. However, it

is considered more straightforward to use AES-GCM directly instead.

For RSA: use the OAEP scheme

The Optimal Asymmetric Encryption Padding scheme (OAEP) adds randomness and a secure hash function that strengthens the regular inner workings of RSA.

Resources

Articles & blog posts

• Microsoft, Timing vulnerabilities with CBC-mode symmetric decryption using padding
• Wikipedia, Padding Oracle Attack
• Wikipedia, Chosen-Ciphertext Attack
• Wikipedia, Chosen-Plaintext Attack
• Wikipedia, Semantically Secure Cryptosystems
• Wikipedia, OAEP
• Wikipedia, Galois/Counter Mode

Standards

• OWASP Top 10 2021 Category A2 - Cryptographic Failures
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• MITRE, CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
• SANS Top 25 - Porous Defenses