Recipe Name:
Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: insecure SecretKeyFactory
Description:
Could lead to cryptographic weakness
Level:
error
Language:
  • java
Tags:
  • security
  • basic protection set
Documentation

Secure coding practices prescribe to use AES for secret key generation.

Symmetric encryption is faster and can handle more data than asymmetric encryption. It is used to store sensitive data securely or to encrypt communication after a secure channel has been established. It does not provide authenticity on top of confidentiality like asymmetric encryption does. For symmetric encryption, AES is the recommended algorithm. That means that secret keys should be generated using the AES algorithm.

Correct code example
KeyGenerator.getInstance("AES");
Recipe
id: scw:crypto:secretkeyfactory-insecure-algos
version: 10
metadata:
  name: 'Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: insecure SecretKeyFactory'
  shortDescription: Could lead to cryptographic weakness
  level: error
  language: java
  newCodeOnly: false
  scwCategory: broken_cryptography:use_of_insecuredeprecated_alogirthms
  enabled: true
  descriptionFile: Java/Crypto/descriptions/Insecure_key_generation_algorithm.html
  tags: security;basic protection set
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          stringified:
            matches: (.*MD5.*)|(.*DES.*)|PBKDF2WithHmacSHA1|(.*ARCFOUR.*)
    name: getInstance
    declaration:
      type: javax.crypto.SecretKeyFactory
availableFixes:
- name: Use AES
  actions:
  - rewrite:
      to: '{{{ expressionElement }}}("AES")'