Use of a Broken or Risky Cryptographic Algorithm
- Rule ID: go_gosec_blocklist_des
- Languages: go
- Source: des.yml
Description
The Data Encryption Standard (DES) is an outdated symmetric-key algorithm for encryption. Officially deemed insecure and no longer recommended for use, DES was withdrawn by the National Institute of Standards and Technology (NIST) as a standard in 2005, primarily because of its 56-bit key size, which is vulnerable to brute-force attacks.
Remediation
To ensure the confidentiality and integrity of sensitive data, it is crucial to utilize a modern and secure encryption algorithm. The use of Advanced Encryption Standard (AES) with a key size of 256 bits (AES-256) is recommended for its strong security properties and widespread acceptance as a replacement for DES.
✅ Implement AES-256 for Strong Encryption
// Use AES-256 for secure encryption by initializing a 32-byte key for AES-256
key := make([]byte, 32)
if _, err := io.ReadFull(rand.Reader, key); err != nil {
log.Fatal(err)
}
// Create a new cipher block from the key
blockCipher, err := aes.NewCipher(key)
if err != nil {
log.Fatal(err)
}
// Use Galois/Counter Mode (GCM) for both encryption and decryption
aead, err := cipher.NewGCM(blockCipher)
if err != nil {
log.Fatal(err)
}
var encrypted = []byte{}
var nonce = []byte{}
// Encrypt a message with AES-256 using GCM
{
msg := []byte("Some secret message")
// Ensure nonces are unique for each encryption to maintain security
nonce = make([]byte, 12)
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
log.Fatal(err)
}
encrypted = aead.Seal(nil, nonce, msg, nil)
}
// Decrypt the message securely
{
msg, err := aead.Open(nil, nonce, encrypted, nil)
if err != nil {
log.Fatal(err)
}
fmt.Printf("Decrypted: %s\n", msg)
}
❌ Do Not Use Deprecated Algorithms Avoid using deprecated cryptographic algorithms such as DES, as they do not provide adequate security against modern threats and attacks.
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=go_gosec_blocklist_des
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=go_gosec_blocklist_des
Ready to take the next step? Learn more about Bearer Cloud.