Recipe Name:
Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: Other algorithms
Description:
Could lead to brute forcing or other cryptographic weakness
Level:
marked_information
Language:
  • java
Tags:
  • security
  • basic protection set
Documentation

Secure coding practices prescribe to use AES for secret key generation.

Symmetric encryption is faster and can handle more data than asymmetric encryption. It is used to store sensitive data securely or to encrypt communication after a secure channel has been established. It does not provide authenticity on top of confidentiality like asymmetric encryption does. For symmetric encryption, AES is the recommended algorithm. That means that secret keys should be generated using the AES algorithm.

Correct code example
KeyGenerator.getInstance("AES");
Recipe
id: scw:crypto:keygen-other-algos
version: 10
metadata:
  name: 'Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: Other algorithms'
  shortDescription: Could lead to brute forcing or other cryptographic weakness
  level: marked_information
  language: java
  newCodeOnly: false
  scwCategory: broken_cryptography:use_of_insecuredeprecated_alogirthms
  enabled: true
  descriptionFile: Java/Crypto/descriptions/Insecure_key_generation_algorithm.html
  tags: security;basic protection set
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          stringified:
            matches: ^((?!(AES$|DES|DESede|RC2|Blowfish|HmacMD5|HmacSHA1|HmacSHA1|HmacSHA256|HmacSHA384|HmacSHA512)).)*
    name: getInstance
    declaration:
      type: javax.crypto.KeyGenerator
availableFixes:
- name: Use AES
  actions:
  - rewrite:
      to: '{{{ expressionElement }}}("AES")'