Hi, I am currently looking into projects on github which are parametrically misusing cryptographic APIs for my research and I came across a few instances in your project where I found such misuses. These misuses have been highlighted in research papers such as
In your source code file DESUtils.java there are two functions encrypt(byte[], byte[]) and decrypt(byte[], byte[]) both of which have misuses:
At line 56 and 33
Cipher cipher = Cipher.getInstance(PADDING);
First parameter is with value "DES/ECB/PKCS5Padding" which should be any of {AES, Blowfish, DESede, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA224AndAES_256, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_256, PBEWithHmacSHA512AndAES_256, RSA}.
Then in file AESUtils.java there are misuses seen in three functions encrypt(byte[],byte[]), decrypt(byte[],byte[]) and genarateRandomKey()
At line 38 and 64
Cipher cipher = Cipher.getInstance(PADDING);
First parameter (with value "AES/ECB/PKCS5Padding") should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB}
At line 37 and 61
SecretKeySpec seckey = new SecretKeySpec(enCodeFormat,"AES");
First parameter was not properly randomized, it should be randomized using java.security.SecureRandom JCA API.
At line 115
keygen = KeyGenerator.getInstance(PADDING);
First parameter (with value "AES/ECB/PKCS5Padding") should be any of {AES, Blowfish, DESede, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512}
I believe fixing these issues would help your product be more secure.
Hi, I am currently looking into projects on github which are parametrically misusing cryptographic APIs for my research and I came across a few instances in your project where I found such misuses. These misuses have been highlighted in research papers such as
In your source code file DESUtils.java there are two functions encrypt(byte[], byte[]) and decrypt(byte[], byte[]) both of which have misuses:
At line 56 and 33
First parameter is with value "DES/ECB/PKCS5Padding" which should be any of {AES, Blowfish, DESede, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA224AndAES_256, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_256, PBEWithHmacSHA512AndAES_256, RSA}.
Then in file AESUtils.java there are misuses seen in three functions encrypt(byte[],byte[]), decrypt(byte[],byte[]) and genarateRandomKey()
At line 38 and 64
First parameter (with value "AES/ECB/PKCS5Padding") should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB} At line 37 and 61
First parameter was not properly randomized, it should be randomized using java.security.SecureRandom JCA API.
At line 115
First parameter (with value "AES/ECB/PKCS5Padding") should be any of {AES, Blowfish, DESede, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512}
I believe fixing these issues would help your product be more secure.