Cryptographic API misuse detected

[anam-dodhy]

Hi, I am currently looking into projects on github which are parametrically misusing cryptographic APIs for my research and I came across a few instances in your project where I found such misuses. These misuses have been highlighted in research papers such as

• CDRep: Automatic Repair of Cryptographic Misuses in Android Applications

In your source code file DESUtils.java there are two functions encrypt(byte[], byte[]) and decrypt(byte[], byte[]) both of which have misuses:

• At line 56 and 33

  Cipher cipher = Cipher.getInstance(PADDING);

  First parameter is with value "DES/ECB/PKCS5Padding" which should be any of {AES, Blowfish, DESede, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA224AndAES_256, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_256, PBEWithHmacSHA512AndAES_256, RSA}.

• Then in file AESUtils.java there are misuses seen in three functions encrypt(byte[],byte[]), decrypt(byte[],byte[]) and genarateRandomKey()

At line 38 and 64

Cipher cipher = Cipher.getInstance(PADDING);

First parameter (with value "AES/ECB/PKCS5Padding") should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB} At line 37 and 61

SecretKeySpec seckey = new SecretKeySpec(enCodeFormat,"AES");

First parameter was not properly randomized, it should be randomized using java.security.SecureRandom JCA API.

At line 115

keygen = KeyGenerator.getInstance(PADDING);

First parameter (with value "AES/ECB/PKCS5Padding") should be any of {AES, Blowfish, DESede, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512}

I believe fixing these issues would help your product be more secure.

[javahongxi]

I see it, thanks for your comments.

[santiagodavidgarciacastaneda]

Duplicate of #