16 lines
458 B
Plaintext
16 lines
458 B
Plaintext
Without OAEP in RSA encryption, it takes less work for an attacker to decrypt the data or infer patterns from the ciphertext. This rule logs an issue as soon as a literal value starts with ``RSA/NONE``.
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
Cipher rsa = javax.crypto.Cipher.getInstance("RSA/NONE/NoPadding");
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
Cipher rsa = javax.crypto.Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
|
|
----
|
|
|
|
include::../see.adoc[]
|