include::../description.adoc[] == Noncompliant Code Example [source,kotlin] ---- import javax.crypto.NoSuchPaddingException import java.security.NoSuchAlgorithmException import javax.crypto.Cipher class test { fun main(args: Array) { try { val c1 = Cipher.getInstance("DES") // Noncompliant: DES works with 56-bit keys allow attacks via exhaustive search val c7 = Cipher.getInstance("DESede") // Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack val c13 = Cipher.getInstance("RC2") // Noncompliant: RC2 is vulnerable to a related-key attack val c19 = Cipher.getInstance("RC4") // Noncompliant: vulnerable to several attacks (see https://en.wikipedia.org/wiki/RC4#Security) val c25 = Cipher.getInstance("Blowfish") // Noncompliant: Blowfish use a 64-bit block size makes it vulnerable to birthday attacks val nc = NullCipher() // Noncompliant: the NullCipher class provides an "identity cipher" one that does not transform or encrypt the plaintext in any way. } catch (e: NoSuchAlgorithmException) { } catch (e: NoSuchPaddingException) { } } } ---- == Compliant Solution [source,kotlin] ---- import javax.crypto.NoSuchPaddingException import java.security.NoSuchAlgorithmException import javax.crypto.Cipher class test { fun main(args: Array) { try { val c31 = Cipher.getInstance("AES/GCM/NoPadding") // Compliant } catch (e: NoSuchAlgorithmException) { } catch (e: NoSuchPaddingException) { } } } ---- == See * https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures * https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure * https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements[Mobile AppSec Verification Standard] - Cryptography Requirements * https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography[OWASP Mobile Top 10 2016 Category M5] - Insufficient Cryptography * https://cwe.mitre.org/data/definitions/327[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms * https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] ''' == Comments And Links (visible only on this page) include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]