• Home
• io.github.erroraway
• sonar-erroraway-sonar-plugin
• 2.2.0
• source code
• InsecureCryptoUsage.md

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

errorprone.bugpattern.InsecureCryptoUsage.md Maven / Gradle / Ivy

This checker looks for usages of standard cryptographic algorithms in
configurations that are prone to vulnerabilities. There are currently three
classes of problems that are covered by this checker:

*   Creating an instance of `javax.crypto.Cipher` using either the default
    settings or the notoriously insecure ECB mode. In particular, Java's default
    `Cipher.getInstance(AES)` returns a cipher object that operates in ECB mode.
    Dynamically constructed transformation strings are also flagged, as they may
    conceal an instance of ECB mode. The problem with ECB mode is that
    encrypting the same block of plaintext always yields the same block of
    ciphertext. Hence, repetitions in the plaintext translate into repetitions
    in the ciphertext, which can be readily used to conduct cryptanalysis. The
    use of IES-based cipher algorithms also raises an error, as all currently
    available implementations use ECB mode under the hood.

*   Using the Diffie-Hellmann protocol on prime fields. Most library
    implementations of Diffie-Hellman on prime fields have serious issues that
    can be exploited by an attacker. Any operation that may involve this
    protocol will be flagged by the checker. Implementations of the protocol
    based on elliptic curves (ECDH) are secure and should be used instead.

*   Using DSA for digital signatures. Some widely used crypto libraries accept
    invalid DSA signatures in specific configurations. The checker will flag all
    cryptographic operations that may involve DSA.