Import of weak encryption algorithm (RCA)

  • Rule ID: go_gosec_blocklist_rc4
  • Languages: go
  • Source: rc4.yml

Description

RC4 is a stream cipher that was once popular for its simplicity and speed in operation. However, extensive research over the years has revealed multiple vulnerabilities, rendering RC4 insecure in most contexts. Its weaknesses in key scheduling and the generation of non-random bytes have led to successful cryptanalysis and practical attacks, making it unsuitable for securing data.

Remediation

With the known vulnerabilities of RC4, it's essential to move to a more secure cipher. AES (Advanced Encryption Standard) is the recommended replacement because it has undergone extensive scrutiny and is considered secure against cryptanalysis.

✅ Switch to AES-256 for Robust Encryption

// 32 byte keys will set up AES-256, which is a secure block cipher that has become the industry standard for encryption.
key := make([]byte, 32)
if _, err := io.ReadFull(rand.Reader, key); err != nil {
log.Fatal(err)
}

blockCipher, err := aes.NewCipher(key)
if err != nil {
log.Fatal(err)
}

aead, err := cipher.NewGCM(blockCipher)
if err != nil {
log.Fatal(err)
}

var encrypted = []byte{}
var nonce = []byte{}
// Encryption routine
{
msg := []byte("Some secret message")
// Note that the key must be rotated after every 2^32 uses of a single nonce-value to avoid cipher text repetition.
nonce = make([]byte, 12)
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
log.Fatal(err)
}
encrypted = aead.Seal(nil, nonce, msg, nil)
}

// Decryption routine
{
msg, err := aead.Open(nil, nonce, encrypted, nil)
if err != nil {
log.Fatal(err)
}
fmt.Printf("Decrypted: %s\n", msg)
}

Using AES-256 ensures that your encryption mechanism meets current security standards and is robust against known attacks. AES has been widely adopted across various industries and has proven its reliability over time.

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_blocklist_rc4

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_blocklist_rc4