When encrypting data with the Cipher Block Chaining (CBC) mode an Initialization Vector (IV) is used to randomize the encryption, ie under a given key the same plaintext doesn’t always produce the same ciphertext. The IV doesn’t need to be secret but should be unpredictable to avoid "Chosen-Plaintext Attack".
To generate Initialization Vectors, NIST recommends to use a secure random number generator.
public class MyCbcClass { public String applyCBC(String strKey, String plainText) { byte[] bytesIV = "7cVgr5cbdCZVw5WY".getBytes("UTF-8"); /* KEY + IV setting */ IvParameterSpec iv = new IvParameterSpec(bytesIV); SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES"); /* Ciphering */ Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); // Noncompliant: the IV is hard coded and thus not generated with a secure random generator byte[] encryptedBytes = cipher.doFinal(plainText.getBytes("UTF-8")); return DatatypeConverter.printBase64Binary(bytesIV) + ";" + DatatypeConverter.printBase64Binary(encryptedBytes); } }
public class MyCbcClass { SecureRandom random = new SecureRandom(); public String applyCBC(String strKey, String plainText) { byte[] bytesIV = new byte[16]; random.nextBytes(bytesIV); /* KEY + IV setting */ IvParameterSpec iv = new IvParameterSpec(bytesIV); SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES"); /* Ciphering */ Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); // Compliant byte[] encryptedBytes = cipher.doFinal(plainText.getBytes("UTF-8")); return DatatypeConverter.printBase64Binary(bytesIV) + ";" + DatatypeConverter.printBase64Binary(encryptedBytes); } }