---
title: Avoid using the insecure DES or 3DES ciphers
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Avoid using the insecure DES or 3DES ciphers
---

# Avoid using the insecure DES or 3DES ciphers

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `rust-security/avoid-des`

**Language:** Rust

**Severity:** Warning

**Category:** Security

**CWE**: [327](https://cwe.mitre.org/data/definitions/327.html)

**Related CWEs**:

- [328](https://cwe.mitre.org/data/definitions/328.html)
- [916](https://cwe.mitre.org/data/definitions/916.html)
- [1240](https://cwe.mitre.org/data/definitions/1240.html)

## Description{% #description %}

DES uses a 56-bit key that can be brute-forced in hours on modern hardware. Triple DES (3DES) is deprecated by NIST SP 800-131A and remains vulnerable to Sweet32 birthday attacks against its 64-bit block size. Use AES-256-GCM (via the `aes-gcm` crate) or another modern authenticated encryption algorithm instead.

#### Learn More{% #learn-more %}

- [CWE-327: Use of a Broken or Risky Cryptographic Algorithm](https://cwe.mitre.org/data/definitions/327.html)

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```rust
use des;
use des::Des;
use des::{Des, TdesEde3};
use openssl::symm::Cipher;

fn invalid() {
    let key = [0u8; 8];

    // RustCrypto `des` crate — single DES and Triple DES variants
    let _ = des::Des::new_from_slice(&key);
    let _ = des::TdesEde3::new_from_slice(&key);

    // openssl/boring `Cipher::des_*()` builders
    let _ = Cipher::des_cbc();
    let _ = openssl::symm::Cipher::des_ede3_cbc();
}
```

## Compliant Code Examples{% #compliant-code-examples %}

```rust
use aes_gcm::{Aes256Gcm, KeyInit};

fn ok() {
    // Safe: AES-256-GCM instead of DES
    let key = [0u8; 32];
    let _ = Aes256Gcm::new(&key.into());
}
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}