Use of a Broken or Risky Cryptographic Algorithm

Rule ID: go_gosec_blocklist_des
Languages: go
Source: des.yml

Description

The Data Encryption Standard (DES) is an outdated symmetric-key algorithm for encryption. Officially deemed insecure and no longer recommended for use, DES was withdrawn by the National Institute of Standards and Technology (NIST) as a standard in 2005, primarily because of its 56-bit key size, which is vulnerable to brute-force attacks.

Remediation

To ensure the confidentiality and integrity of sensitive data, it is crucial to utilize a modern and secure encryption algorithm. The use of Advanced Encryption Standard (AES) with a key size of 256 bits (AES-256) is recommended for its strong security properties and widespread acceptance as a replacement for DES.

✅ Implement AES-256 for Strong Encryption

// Use AES-256 for secure encryption by initializing a 32-byte key for AES-256
key := make([]byte, 32)
if _, err := io.ReadFull(rand.Reader, key); err != nil {
  log.Fatal(err)
}

// Create a new cipher block from the key
blockCipher, err := aes.NewCipher(key)
if err != nil {
  log.Fatal(err)
}

// Use Galois/Counter Mode (GCM) for both encryption and decryption
aead, err := cipher.NewGCM(blockCipher)
if err != nil {
  log.Fatal(err)
}

var encrypted = []byte{}
var nonce = []byte{}

// Encrypt a message with AES-256 using GCM
{
  msg := []byte("Some secret message")
  // Ensure nonces are unique for each encryption to maintain security
  nonce = make([]byte, 12)
  if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
    log.Fatal(err)
  }
  encrypted = aead.Seal(nil, nonce, msg, nil)
}

// Decrypt the message securely
{
  msg, err := aead.Open(nil, nonce, encrypted, nil)
  if err != nil {
    log.Fatal(err)
  }
  fmt.Printf("Decrypted: %s\n", msg)
}

❌ Do Not Use Deprecated Algorithms Avoid using deprecated cryptographic algorithms such as DES, as they do not provide adequate security against modern threats and attacks.

Resources

Associated CWE

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_blocklist_des

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_blocklist_des

Ready to take the next step? Learn more about Bearer Cloud.