Merge pull request #4256 from fatenhealy/Noblowfish

tausbn · web-flow · commit 32bf7d6bdfe4 · 2020-09-30T16:15:46.000+02:00
CWE-327 BrokenCryptoAlgorithm recommendation to AES instead of Blowfish
diff --git a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -33,7 +33,7 @@
                <code>pycrypto</code> you must specify the encryption
                algorithm to use. The first example uses DES, which is an
                older algorithm that is now considered weak. The second
-               example uses Blowfish, which is a stronger more modern algorithm.
+               example uses AES, which is a stronger modern algorithm.
           </p>
 
           <sample src="examples/broken_crypto.py" />
diff --git a/python/ql/src/Security/CWE-327/examples/broken_crypto.py b/python/ql/src/Security/CWE-327/examples/broken_crypto.py
@@ -1,12 +1,12 @@
-from Crypto.Cipher import DES, Blowfish
+from Crypto.Cipher import DES, AES
 
 cipher = DES.new(SECRET_KEY)
 
 def send_encrypted(channel, message):
     channel.send(cipher.encrypt(message)) # BAD: weak encryption
 
 
-cipher = Blowfish.new(SECRET_KEY)
+cipher = AES.new(SECRET_KEY)
 
 def send_encrypted(channel, message):
     channel.send(cipher.encrypt(message)) # GOOD: strong encryption
