Recipe Name:
Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: Other algorithms
Description:
Could lead to brute forcing or other cryptographic weakness
Level:
marked_information
Language:
- java
Tags:
- security
- basic protection set
Documentation
Secure coding practices prescribe to use AES for secret key generation.
Symmetric encryption is faster and can handle more data than asymmetric encryption. It is used to store sensitive data securely or to encrypt communication after a secure channel has been established. It does not provide authenticity on top of confidentiality like asymmetric encryption does. For symmetric encryption, AES is the recommended algorithm. That means that secret keys should be generated using the AES algorithm.
Correct code exampleKeyGenerator.getInstance("AES");
Recipe
id: scw:crypto:keygen-other-algos
version: 10
metadata:
name: 'Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: Other algorithms'
shortDescription: Could lead to brute forcing or other cryptographic weakness
level: marked_information
language: java
newCodeOnly: false
scwCategory: broken_cryptography:use_of_insecuredeprecated_alogirthms
enabled: true
descriptionFile: Java/Crypto/descriptions/Insecure_key_generation_algorithm.html
tags: security;basic protection set
search:
methodcall:
args:
1:
type: java.lang.String
value:
stringified:
matches: ^((?!(AES$|DES|DESede|RC2|Blowfish|HmacMD5|HmacSHA1|HmacSHA1|HmacSHA256|HmacSHA384|HmacSHA512)).)*
name: getInstance
declaration:
type: javax.crypto.KeyGenerator
availableFixes:
- name: Use AES
actions:
- rewrite:
to: '{{{ expressionElement }}}("AES")'