This vulnerability makes it possible that the cleartext of the encrypted message might be recoverable without prior knowledge of the key.
Encryption algorithms are essential for protecting sensitive information and ensuring secure communication in various domains. They are used for several important reasons:
When selecting encryption algorithms, tools, or combinations, you should also consider two things:
For these reasons, as soon as cryptography is included in a project, it is important to choose encryption algorithms that are considered strong and secure by the cryptography community.
The cleartext of an encrypted message might be recoverable. Additionally, it might be possible to modify the cleartext of an encrypted message.
Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the vulnerability.
The encrypted message might contain data that is considered sensitive and should not be known to third parties.
By using a weak algorithm the likelihood that an attacker might be able to recover the cleartext drastically increases.
By modifying the cleartext of the encrypted message it might be possible for an attacker to trigger other vulnerabilities in the code. Encrypted values are often considered trusted, since under normal circumstances it would not be possible for a third party to modify them.
The following code contains examples of algorithms that are not considered highly resistant to cryptanalysis and thus should be avoided.
import javax.crypto.Cipher; import java.security.NoSuchAlgorithmException; import javax.crypto.NoSuchPaddingException; public static void main(String[] args) { try { Cipher des = Cipher.getInstance("DES"); // Noncompliant } catch(NoSuchAlgorithmException|NoSuchPaddingException e) { // ... } }
import javax.crypto.Cipher; import java.security.NoSuchAlgorithmException; import javax.crypto.NoSuchPaddingException; public static void main(String[] args) { try { Cipher aes = Cipher.getInstance("AES/GCM/NoPadding"); } catch(NoSuchAlgorithmException|NoSuchPaddingException e) { // ... } }
It is highly recommended to use an algorithm that is currently considered secure by the cryptographic community. A common choice for such an algorithm is the Advanced Encryption Standard (AES).
For block ciphers, it is not recommended to use algorithms with a block size that is smaller than 128 bits.