Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5542

Encryption algorithms should be used with secure mode and padding scheme

    Details

    • Message:
      Use a secure mode and padding scheme.
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C, C++, Cobol, CSS, Flex, Go, HTML, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB6, XML
    • Covered Languages:
      C#, Java, PHP, Python, VB.Net
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources
    • CERT:
      MSC61-J.
    • CWE:
      CWE-327, CWE-780
    • OWASP:
      A6, A3
    • SANS Top 25:
      Porous Defenses
    • FindSecBugs:
      ECB_MODE, PADDING_ORACLE, RSA_NO_PADDING
    • FxCop:
      CA5358

      Description

      To perform secure cryptography, operation modes and padding scheme are essentials and should be used correctly according to the encryption algorithm:

      • For block cipher encryption algorithms (like AES), the GCM (Galois Counter Mode) mode, which works internally with zero/no padding scheme, is recommended. At the opposite, these modes and/or schemes are highly discouraged:
        • Electronic Codebook (ECB) mode is vulnerable because it doesn't provide serious message confidentiality: under a given key any given plaintext block always gets encrypted to the same ciphertext block.
        • Cipher Block Chaining (CBC) with PKCS#5 padding (or PKCS#7) is vulnerable to padding oracle attacks.
      • RSA encryption algorithm should be used with the recommended padding scheme (OAEP)

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-5543 Language-Specification Active Unassigned
          2.
          Kotlin RSPEC-5544 Language-Specification Active Unassigned
          3.
          C# RSPEC-5545 Language-Specification Active Unassigned
          4.
          PHP RSPEC-5568 Language-Specification Active Unassigned
          5.
          Python RSPEC-5620 Language-Specification Active Unassigned
          6.
          VB.Net RSPEC-5638 Language-Specification Active Unassigned
          7.
          JavaScript RSPEC-5670 Language-Specification Active Unassigned
          8.
          C-Family RSPEC-5891 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                eric.therond Eric Therond
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: