Audit required: DES cipher algorithm is cryptographically broken GO-S1022

DES is cryptographically broken and should not be used for secure applications. It is recommended to use better replacement algorithms instead.

NIST has recommended AES as a successor to DES to be used in secure applications. Apart from AES, other replacement algorithms where DES can be adapted and reused in a more secure scheme. Many former DES users now use Triple DES (TDES) or Triple Data Encryption Algorithm (TDEA), which was described and analyzed by one of DES's patentees; it involves applying DES three times with two (2TDES) or three (3TDES) different keys. TDES is regarded as adequately secure but is computation-wise slower.

Both TDEA and AES are available in Go's standard library: TDEA (crypto/des) and AES (crypto/aes).

Bad practice

des.NewCipher(tripleDESKey)

References

• CWE-327
• OWASP A2:2021
• Go: crypto/des
• Data Encryption Standard