Encryption operations should use a secure mode and padding scheme so that confidentiality and integrity can be guaranteed.
- For block cipher encryption algorithms (like AES):
- The ECB (Electronic Codebook) cipher mode doesn’t provide serious message confidentiality: under a given key any given plaintext block
always gets encrypted to the same ciphertext block. This mode never be used.
- The CBC (Cipher Block Chaining) mode by itself provides only data confidentiality. This cipher mode is also vulnerable to padding oracle attacks when used with padding. Using CBC along with Message
Authentication Code can provide data integrity and should prevent such attacks. In practice the implementation has many pitfalls and it’s
recommended to avoid CBC with padding completely.
- The GCM (Galois Counter Mode) mode which works
internally with zero/no padding scheme, is recommended, as it is designed to provide both data authenticity (integrity) and confidentiality.
Other similar modes are CCM, CWC, EAX, IAPM and OCB.
- For RSA encryption algorithm, the recommended padding scheme is OAEP.
Noncompliant Code Example
Cipher c1 = Cipher.getInstance("AES"); // Noncompliant: by default ECB mode is chosen
Cipher c2 = Cipher.getInstance("AES/ECB/NoPadding"); // Noncompliant: ECB doesn't provide serious message confidentiality
Cipher c3 = Cipher.getInstance("RSA/None/NoPadding"); // Noncompliant: RSA without OAEP padding scheme is not recommanded
Compliant Solution
// Recommended for block ciphers
Cipher c1 = Cipher.getInstance("AES/GCM/NoPadding"); // Compliant
// Recommended for RSA
Cipher c3 = Cipher.getInstance("RSA/None/OAEPWITHSHA-256ANDMGF1PADDING"); // Compliant
// or the ECB mode can be used for RSA when "None" is not available with the security provider used - in that case, ECB will be treated as "None" for RSA.
Cipher c3 = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING"); // Compliant
See