Recipe Name:
Data Protection - Cryptography: Avoid cryptographic weakness: Use strong symmetric cryptographic algorithm
Description:
Could lead to cryptographic weakness
Level:
error
Language:
- java
Tags:
- security
- basic protection set
Documentation
Secure coding practices prescribe to use AES with GCM mode and no padding for symmetric algorithms.
Symmetric encryption should be used for bulk encryption, i.e. to store sensitive data securely or to encrypt communication after a secure channel has been established. The recommended algorithm for local storage is AES, used in GCM mode with no padding.
Correct code examplepublic static byte[] encryptForLocalStorage(byte[] plainText, byte[] IV, Key key) throws Exception {
Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
GCMParameterSpec gcmSpec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, IV);
c.init(Cipher.ENCRYPT_MODE, key, gcmSpec);
return c.doFinal(plainText);
}
Recipe
id: scw:crypto:cipher:symmetric
version: 10
metadata:
name: 'Data Protection - Cryptography: Avoid cryptographic weakness: Use strong symmetric cryptographic algorithm'
shortDescription: Could lead to cryptographic weakness
level: error
language: java
newCodeOnly: false
scwCategory: broken_cryptography:use_of_insecuredeprecated_alogirthms
enabled: true
descriptionFile: Java/Crypto/descriptions/Insecure_symmetric_cryptographic_algorithm.html
tags: security;basic protection set
search:
methodcall:
args:
1:
type: java.lang.String
value:
containsUntrustedInput: false
stringified:
not:
matches: AES/GCM/NoPadding|.*RSA.*|.*ECIES.*
name: getInstance
declaration:
type: javax.crypto.Cipher
availableFixes:
- name: Use AES in Galois/Counter Mode with NoPadding
actions:
- rewrite:
to: '{{{ expressionElement }}}("AES/GCM/NoPadding")'