Cryptographic API misuse detected
anam-dodhy opened this issue · comments
Hi, I am currently looking into projects on github which are parametrically misusing cryptographic APIs for my research and I came across a few instances in your project where I found such misuses. These misuses have been highlighted in research papers such as
In your source code file AESUtils.java there are two functions encrypt(String, String) and decrypt(String, String). Following issues have been found in these two functions:
- In function encrypt(String, String) At line 27
SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes("UTF-8"), "AES");
and at line 26
IvParameterSpec iv = new IvParameterSpec(INIT_VECTOR.getBytes("UTF-8"));
First parameters were not properly randomized in both cases. They should be randomized using java.security.SecureRandom class. And these ill prepared skeySpec and iv are later passed on as paramters in line 30 which results in another misuse.
-
In function decrypt(String, String) same issues as explained above are found at line 49, 50 and 53.
-
In another file PasswordProvider.java at line 42
MessageDigest md = MessageDigest.getInstance("MD5");
First parameter (with value "MD5") should be any of {SHA-256, SHA-384, SHA-512} as MD5 is widely known to be an insecure algorithm now.
I believe fixing these issues would help your product be more secure.