Usage of ECB cipher mode
- Rule ID: python_lang_weak_encryption_ecb_mode
- Languages: python
- Source: weak_encryption_ecb_mode.yml
Description
The ECB (Electronic Codebook) cipher mode is recognized as insecure and is not recommended for use in cryptographic protocols. This mode does not provide adequate data protection because it encrypts identical plaintext blocks into identical ciphertext blocks, making it vulnerable to pattern analysis. For stronger security, it's essential to use encryption algorithms that have built-in message integrity and do not require a mode of operation to be configured, such as ChaCha20-Poly1305 or, for older applications that do not support this, AES-256-GCM.
Remediations
- Do choose ChaCha20-Poly1305 or AES-256-GCM for encryption. These algorithms include built-in message integrity, offering a more secure alternative to ECB mode.
from Crypto.Cipher import ChaCha20_Poly1305
cipher = ChaCha20_Poly1305.new(key)
ciphertext, tag = cipher.encrypt_and_digest(plaintext)
References
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=python_lang_weak_encryption_ecb_mode
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=python_lang_weak_encryption_ecb_mode