Applications should not use in general should avoid, and security-related applications must avoid, use of insecure or weak cryptographic primitives because it is possible to circumvent such protective measures given the . The computational capacity of modern computers permits circumvent such cryptography via brute-force attacks. For example, the DES encryption algorithm is considered highly insecure in today's age of super computers and botnets. Messages ; messages encrypted using DES have known to be successfully been decrypted by brute force within a single day by machines such as the Electronic Frontier Foundation's (EFF) Deep Crack.
...
| Code Block | ||
|---|---|---|
| ||
Cipher cipher = Cipher.getInstance("AES");
KeyGenerator kgen = KeyGenerator.getInstance("AES");
kgen.init(128); // 192 and 256 bits may be unavailable
SecretKey skey = kgen.generateKey();
byte[] raw = skey.getEncoded();
SecretKeySpec skeySpec = new SecretKeySpec(raw, "AES");
cipher.init(Cipher.ENCRYPT_MODE, skeySpec);
// Encode bytes as UTF8; strToBeEncrypted contains the input string
// that is to be encrypted
byte[] encoded = strToBeEncrypted.getBytes("UTF8");
// Perform encryption
byte[] encrypted = cipher.doFinal(encoded);
|
Risk Assessment
Failure to use a Use of mathematically and computationally secure insecure cryptographic algorithm algorithms can result in the disclosure of sensitive information.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC01-J | medium | probable | medium | P8 | L2 |
Automated Detection
...
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
...