Recipe Name:
Data Protection - Cryptography: Avoid cryptographic weakness: Use strong symmetric cryptographic algorithm (Untrusted)
Description:
Alowing untrusted input to determine the encryption algorithm could lead to cryptographic weakness.
Level:
warning
Language:
- java
Tags:
- security
- basic protection set
Documentation
Secure coding practices prescribe to use AES with GCM mode and no padding for symmetric algorithms.
Symmetric encryption should be used for bulk encryption, i.e. to store sensitive data securely or to encrypt communication after a secure channel has been established. The recommended algorithm for local storage is AES, used in GCM mode with no padding.
Correct code examplepublic static byte[] encryptForLocalStorage(byte[] plainText, byte[] IV, Key key) throws Exception { Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); GCMParameterSpec gcmSpec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, IV); c.init(Cipher.ENCRYPT_MODE, key, gcmSpec); return c.doFinal(plainText); }
Recipe
id: scw:crypto:cipher:symmetric-untrusted version: 10 metadata: name: 'Data Protection - Cryptography: Avoid cryptographic weakness: Use strong symmetric cryptographic algorithm (Untrusted)' shortDescription: Alowing untrusted input to determine the encryption algorithm could lead to cryptographic weakness. level: warning language: java newCodeOnly: false scwCategory: broken_cryptography:use_of_insecuredeprecated_alogirthms enabled: true descriptionFile: Java/Crypto/descriptions/Insecure_symmetric_cryptographic_algorithm.html tags: security;basic protection set search: methodcall: args: 1: type: java.lang.String value: containsUntrustedInput: true name: getInstance declaration: type: javax.crypto.Cipher availableFixes: - name: Use AES in Galois/Counter Mode with NoPadding actions: - rewrite: to: '{{{ expressionElement }}}("AES/GCM/NoPadding")'