Insecure use of (Hard-coded keys: embedding key material) in symmetricEncryption.java

We are a German research group investigating the misuse of cryptographic APIs.
We found vulnerabilities in _symmetricEncryption.java_ at lines {36, 50}, which can lead to an attack (e.g., Trivial brute-forcing or dictionary attacks on the key material).

This is our result:
```json
    "explanation": "Direct instantiation of SecretKeySpec in decrypt; the algorithm is derived by splitting cipherInstance (resulting in \"AES\").",
    "cryptographicObjectType": "SecretKeySpec",
    "codeSnippet": "SecretKeySpec keySpec = new SecretKeySpec(key, cipherInstance.split(\"/\")[0]);",
    "vulnerabilityType": "Insecure",
    "correction": "Using a hardcoded key ('1234567890abcdef1234567890abcdef') in the decryption routine is insecure. Adopt a secure key management mechanism to avoid embedding secret keys directly in the source code.",
```    


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Insecure use of (Hard-coded keys: embedding key material) in symmetricEncryption.java #20

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Insecure use of (Hard-coded keys: embedding key material) in symmetricEncryption.java #20

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions