The analyzer has detected that the application uses an outdated cryptographic algorithm. The use of such algorithms can lead to sensitive data exposure, key leakage, broken authentication, etc.
Vulnerabilities related to the use of weak cryptographic algorithms can be categorized under the OWASP Top 10 2021 as follows:
Look at the following example:
public void encryptData(String data, SecretKey secretKey) {
Cipher cipher = null;
try {
cipher = Cipher.getInstance("DES"); // <=
} catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
// ....
}
try {
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
} catch (InvalidKeyException e) {
// ....
}
try {
byte[] encryptedData = cipher.doFinal(data.getBytes());
} catch (IllegalBlockSizeException | BadPaddingException e) {
// ....
}
// ....
}When analyzing the code fragment, the analyzer will warn against using DES.
It is better to use modern algorithms instead of outdated ones. In the example above, one possible solution is to replace DES with AES:
public void encryptData(String data, SecretKey secretKey) {
Cipher cipher = null;
try {
cipher = Cipher.getInstance("AES/CBC/NoPadding");
} catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
// ....
}
try {
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
} catch (InvalidKeyException e) {
// ....
}
try {
byte[] encryptedData = cipher.doFinal(data.getBytes());
} catch (IllegalBlockSizeException | BadPaddingException e) {
// ....
}
// ....
}Oracle's website provides documentation on standard implementations of various cryptographic algorithms. The following is a list of some algorithms that are not recommended for use:
For example, the recommendation to use the aforementioned Data Encryption Standard (DES) was withdrawn in 2005 and replaced with the Advanced Encryption Standard (AES).
The official OWASP website provides various techniques for testing applications for potential vulnerabilities caused by the use of weak cryptographic algorithms.