Import of weak encryption algorithm (RCA)

• Rule ID: go_gosec_blocklist_rc4
• Languages: go
• Source: rc4.yml

Description

The RC4 encryption algorithm is outdated and vulnerable. It has been found to have significant security flaws, including predictable key generation and weak randomization, which have been exploited in various attacks. These vulnerabilities make RC4 unsuitable for secure data encryption.

Remediations

• Do not use RC4 for encrypting data. Its vulnerabilities to cryptanalysis and practical attacks compromise data security.
• Do switch to AES-256 for encryption. AES-256 is a secure and widely accepted standard that provides strong protection against attacks. Using AES-256 ensures compliance with current security standards and provides a robust defense against known cryptographic attacks.

References

• NIST Guidelines on Cryptography

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_blocklist_rc4

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_blocklist_rc4