770348d041
* Add check for security standard mismatch * Fix security standard mismatches * Fix Resources/Standards links for secrets rules * Fix check * Fix links and update security standard mapping * Fix maintanability issue * Apply review suggestions * Apply suggestions from code review Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> * Fix typo Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
28 lines
913 B
Plaintext
28 lines
913 B
Plaintext
== Why is this an issue?
|
|
|
|
Optimal Asymmetric Encryption Padding adds an element of randomness to RSA encryption, and helps prevent partial decryption. Using RSA encryption with some other padding, or without padding yields an encrypted value that is easier for an attacker to decode.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,text]
|
|
----
|
|
Cipher cipher = Cipher.getInstance("RSA/None/NOPADDING"); // Noncompliant
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,text]
|
|
----
|
|
Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
|
|
* CWE - https://cwe.mitre.org/data/definitions/780[CWE-780 - Use of RSA Algorithm without OAEP]
|
|
* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A7 - Security Misconfiguration]
|
|
|