Use of a broken or risky cryptographic algorithm¶
ID: java/weak-cryptographic-algorithm Kind: path-problem Severity: warning Precision: high Tags: - security - external/cwe/cwe-327 - external/cwe/cwe-328 Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls
Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.
Many cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data.
Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to replay and other attacks.
The following code shows an example of using a java
Cipher to encrypt some data. When creating a
Cipher instance, you must specify the encryption algorithm to use. The first example uses DES, which is an older algorithm that is now considered weak. The second example uses AES, which is a strong modern algorithm.
// BAD: DES is a weak algorithm Cipher des = Cipher.getInstance("DES"); cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec); byte encrypted = cipher.doFinal(input.getBytes("UTF-8")); // ... // GOOD: AES is a strong algorithm Cipher des = Cipher.getInstance("AES"); // ...
NIST, FIPS 140 Annex a: Approved Security Functions.
Common Weakness Enumeration: CWE-327.
Common Weakness Enumeration: CWE-328.