Import of weak encryption algorithm (DES)

  • Rule ID: go_gosec_blocklist_des
  • Languages: go
  • Source: des.yml

Description

The Data Encryption Standard (DES) is an outdated symmetric-key algorithm for encryption. Officially deemed insecure and no longer recommended for use, DES was withdrawn by the National Institute of Standards and Technology (NIST) as a standard in 2005, primarily because of its 56-bit key size, which is vulnerable to brute-force attacks.

Remediation

To ensure the confidentiality and integrity of sensitive data, it is crucial to utilize a modern and secure encryption algorithm. The use of Advanced Encryption Standard (AES) with a key size of 256 bits (AES-256) is recommended for its strong security properties and widespread acceptance as a replacement for DES.

✅ Implement AES-256 for Strong Encryption

// Use AES-256 for secure encryption by initializing a 32-byte key for AES-256
key := make([]byte, 32)
if _, err := io.ReadFull(rand.Reader, key); err != nil {
log.Fatal(err)
}

// Create a new cipher block from the key
blockCipher, err := aes.NewCipher(key)
if err != nil {
log.Fatal(err)
}

// Use Galois/Counter Mode (GCM) for both encryption and decryption
aead, err := cipher.NewGCM(blockCipher)
if err != nil {
log.Fatal(err)
}

var encrypted = []byte{}
var nonce = []byte{}

// Encrypt a message with AES-256 using GCM
{
msg := []byte("Some secret message")
// Ensure nonces are unique for each encryption to maintain security
nonce = make([]byte, 12)
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
log.Fatal(err)
}
encrypted = aead.Seal(nil, nonce, msg, nil)
}

// Decrypt the message securely
{
msg, err := aead.Open(nil, nonce, encrypted, nil)
if err != nil {
log.Fatal(err)
}
fmt.Printf("Decrypted: %s\n", msg)
}

❌ Do Not Use Deprecated Algorithms Avoid using deprecated cryptographic algorithms such as DES, as they do not provide adequate security against modern threats and attacks.

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_blocklist_des

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_blocklist_des