Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: Hmac family :: Recipe Details

Recipe Name:

Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: Hmac family

Description:

Could lead to brute forcing or other cryptographic weakness

Level:

warning

Language:

java

Tags:

security
basic protection set

Documentation

Secure coding practices prescribe to use AES for secret key generation.

Symmetric encryption is faster and can handle more data than asymmetric encryption. It is used to store sensitive data securely or to encrypt communication after a secure channel has been established. It does not provide authenticity on top of confidentiality like asymmetric encryption does. For symmetric encryption, AES is the recommended algorithm. That means that secret keys should be generated using the AES algorithm.

Correct code example

KeyGenerator.getInstance("AES");

Recipe

id: scw:crypto:keygen-hmac
version: 10
metadata:
  name: 'Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: Hmac family'
  shortDescription: Could lead to brute forcing or other cryptographic weakness
  level: warning
  language: java
  newCodeOnly: false
  scwCategory: broken_cryptography:use_of_insecuredeprecated_alogirthms
  enabled: true
  descriptionFile: Java/Crypto/descriptions/Insecure_key_generation_algorithm.html
  tags: security;basic protection set
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          stringified:
            matches: HmacMD5|HmacSHA1|HmacSHA1|HmacSHA256|HmacSHA384|HmacSHA512
    name: getInstance
    declaration:
      type: javax.crypto.KeyGenerator
availableFixes:
- name: Use AES
  actions:
  - rewrite:
      to: '{{{ expressionElement }}}("AES")'