2020-06-30 12:48:07 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
|
|
2021-02-18 15:34:22 +01:00
|
|
|
Below, the hashed password use a predictable salt:
|
2021-02-08 19:11:39 +01:00
|
|
|
|
|
|
|
|
----
|
|
|
|
|
byte[] salt = "notrandom".getBytes();
|
2021-02-18 15:34:22 +01:00
|
|
|
|
|
|
|
|
PBEParameterSpec cipherSpec = new PBEParameterSpec(salt, 10000); // Noncompliant, predictable salt
|
2021-02-16 04:11:42 +00:00
|
|
|
PBEKeySpec spec = new PBEKeySpec(chars, salt, 10000, 256); // Noncompliant, predictable salt
|
2021-02-08 19:11:39 +01:00
|
|
|
----
|
|
|
|
|
|
2021-01-23 04:07:47 +00:00
|
|
|
== Compliant Solution
|
2020-06-30 12:48:07 +02:00
|
|
|
|
2021-02-16 04:11:42 +00:00
|
|
|
Use ``++java.security.SecureRandom++`` to generate an unpredictable salt:
|
2020-06-30 12:48:07 +02:00
|
|
|
|
|
|
|
|
----
|
2021-01-23 04:07:47 +00:00
|
|
|
SecureRandom random = new SecureRandom();
|
|
|
|
|
byte[] salt = new byte[16];
|
|
|
|
|
random.nextBytes(salt);
|
2020-06-30 12:48:07 +02:00
|
|
|
|
2021-02-18 15:34:22 +01:00
|
|
|
PBEParameterSpec cipherSpec = new PBEParameterSpec(salt, 10000); // Compliant
|
2021-02-16 04:11:42 +00:00
|
|
|
PBEKeySpec spec = new PBEKeySpec(chars, salt, 10000, 256); // Compliant
|
2021-02-08 19:11:39 +01:00
|
|
|
----
|
|
|
|
|
|
2020-06-30 12:48:07 +02:00
|
|
|
include::../see.adoc[]
|
