include::../description.adoc[] == Noncompliant Code Example ---- import javax.crypto.Cipher; import java.security.NoSuchAlgorithmException; import javax.crypto.NoSuchPaddingException; public class test { public static void main(String[] args) { try { Cipher c1 = Cipher.getInstance("DES"); // Noncompliant: DES works with 56-bit keys allow attacks via exhaustive search Cipher c7 = Cipher.getInstance("DESede"); // Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack Cipher c13 = Cipher.getInstance("RC2"); // Noncompliant: RC2 is vulnerable to a related-key attack Cipher c19 = Cipher.getInstance("RC4"); // Noncompliant: vulnerable to several attacks (see https://en.wikipedia.org/wiki/RC4#Security) Cipher c25 = Cipher.getInstance("Blowfish"); // Noncompliant: Blowfish use a 64-bit block size makes it vulnerable to birthday attacks NullCipher nc = new NullCipher(); // Noncompliant: the NullCipher class provides an "identity cipher" one that does not transform or encrypt the plaintext in any way. } catch(NoSuchAlgorithmException|NoSuchPaddingException e) { } } } ---- == Compliant Solution ---- import javax.crypto.Cipher; import java.security.NoSuchAlgorithmException; import javax.crypto.NoSuchPaddingException; public class test { public static void main(String[] args) { try { Cipher c31 = Cipher.getInstance("AES/GCM/NoPadding"); // Compliant } catch(NoSuchAlgorithmException|NoSuchPaddingException e) { } } } ---- == See * https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure * https://cwe.mitre.org/data/definitions/327.html[MITRE, CWE-327] - Use of a Broken or Risky Cryptographic Algorithm * https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms * https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses