Sensei Logo Sensei Hub

Recipe - Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: DES family

Description:
Could lead to brute forcing or other cryptographic weakness
Level:
error
Language:
  • java
Tags:
  • security
  • basic protection set
Documentation

Secure coding practices prescribe to use AES for secret key generation.

Symmetric encryption is faster and can handle more data than asymmetric encryption. It is used to store sensitive data securely or to encrypt communication after a secure channel has been established. It does not provide authenticity on top of confidentiality like asymmetric encryption does. For symmetric encryption, AES is the recommended algorithm. That means that secret keys should be generated using the AES algorithm.

Correct code example
KeyGenerator.getInstance("AES");
Recipe
id: scw:crypto:keygen-des
version: 10
metadata:
  name: 'Data Protection - Cryptography: Avoid cryptographic weakness: Use appropriate secret key generation algorithm: DES family'
  shortDescription: Could lead to brute forcing or other cryptographic weakness
  level: error
  language: java
  newCodeOnly: false
  scwCategory: broken_cryptography:use_of_insecuredeprecated_alogirthms
  enabled: true
  descriptionFile: Java/Crypto/descriptions/Insecure_key_generation_algorithm.html
  tags: security;basic protection set
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          stringified:
            matches: DES|DESede|RC2|Blowfish
    name: getInstance
    declaration:
      type: javax.crypto.KeyGenerator
availableFixes:
- name: Use AES
  actions:
  - rewrite:
      to: '{{{ expressionElement }}}("AES")'