This vulnerability exposes encrypted data to a number of attacks whose goal is to recover the plaintext.
Encryption algorithms are essential for protecting sensitive information and ensuring secure communications in a variety of domains. They are used for several important reasons:
When selecting encryption algorithms, tools, or combinations, you should also consider two things:
For these reasons, as soon as cryptography is included in a project, it is important to choose encryption algorithms that are considered strong and secure by the cryptography community.
For AES, the weakest modes are CBC (Cipher Block Chaining) and ECB
(Electronic Codebook), as they are either vulnerable to padding oracles or do not provide authentication mechanisms.
And for RSA, the weakest algorithms are either using it without padding or using the PKCS1v1.5 padding scheme.
The cleartext of an encrypted message might be recoverable. Additionally, it might be possible to modify the cleartext of an encrypted message.
Below are some real-world scenarios that illustrate possible impacts of an attacker exploiting the vulnerability.
The encrypted message might contain data that is considered sensitive and should not be known to third parties.
By using a weak algorithm the likelihood that an attacker might be able to recover the cleartext drastically increases.
By modifying the cleartext of the encrypted message it might be possible for an attacker to trigger other vulnerabilities in the code. Encrypted values are often considered trusted, since under normal circumstances it would not be possible for a third party to modify them.
Example with a symmetric cipher, AES:
import javax.crypto.Cipher; import java.security.NoSuchAlgorithmException; import javax.crypto.NoSuchPaddingException; public static void main(String[] args) { try { Cipher.getInstance("AES/CBC/PKCS5Padding"); // Noncompliant } catch(NoSuchAlgorithmException|NoSuchPaddingException e) { // ... } }
Example with an asymmetric cipher, RSA:
import javax.crypto.Cipher; import java.security.NoSuchAlgorithmException; import javax.crypto.NoSuchPaddingException; public static void main(String[] args) { try { Cipher.getInstance("RSA/None/NoPadding"); // Noncompliant } catch(NoSuchAlgorithmException|NoSuchPaddingException e) { // ... } }
For the AES symmetric cipher, use the GCM mode:
import javax.crypto.Cipher; import java.security.NoSuchAlgorithmException; import javax.crypto.NoSuchPaddingException; public static void main(String[] args) { try { Cipher.getInstance("AES/GCM/NoPadding"); } catch(NoSuchAlgorithmException|NoSuchPaddingException e) { // ... } }
For the RSA asymmetric cipher, use the Optimal Asymmetric Encryption Padding (OAEP):
import javax.crypto.Cipher; import java.security.NoSuchAlgorithmException; import javax.crypto.NoSuchPaddingException; public static void main(String[] args) { try { Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING"); } catch(NoSuchAlgorithmException|NoSuchPaddingException e) { // ... } }
As a rule of thumb, use the cryptographic algorithms and mechanisms that are considered strong by the cryptographic community.
Appropriate choices are currently the following.
GCM mode combines encryption with authentication and integrity checks using a cryptographic hash function and provides both confidentiality and authenticity of data.
Other similar modes are:
Counter with CBC-MAC
Cipher Block Chaining with Message Authentication Code
Encrypt-and-Authenticate
Integer Authenticated Parallelizable Mode
Offset Codebook Mode
It is also possible to use AES-CBC with HMAC for integrity checks. However, it
is considered more straightforward to use AES-GCM directly instead.
The Optimal Asymmetric Encryption Padding scheme (OAEP) adds randomness and a secure hash function that strengthens the regular inner workings of RSA.