Import blacklist: crypto/des GSC-G502
Security
Major
a02
cwe-327
sans top 25
owasp top 10
Detects imports of crypto/des since they are considered vulnerable.
Go's official documentation also warns against the usage of DES
Most common alternative for the insecure algorithm:
- Use AES instead of DES/3DES
Although, we recommend doing some initial research before using any encryption/hashing algorithm to determine which is best for your use case.
Refer to https://paginas.fe.up.pt/~ei10109/ca/des-vulnerabilities.html to understand the vulnerability in detail.
Bad practice
package main
import (
"crypto/cipher"
"crypto/des"
"crypto/rand"
"encoding/hex"
"fmt"
"io"
)
func main() {
block, err := des.NewCipher([]byte("sekritz"))
if err != nil {
panic(err)
}
plaintext := []byte("I CAN HAZ SEKRIT MSG PLZ")
ciphertext := make([]byte, des.BlockSize+len(plaintext))
iv := ciphertext[:des.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
panic(err)
}
stream := cipher.NewCFBEncrypter(block, iv)
stream.XORKeyStream(ciphertext[des.BlockSize:], plaintext)
fmt.Println("Secret message is: %s", hex.EncodeToString(ciphertext))
}