BerylEnigma icon indicating copy to clipboard operation
BerylEnigma copied to clipboard
verified publisher icon ffffffff0x

Insecure use of (Insecure IV usage: constant IV) in symmetricEncryption.java

Open A-Amyan opened this issue 5 months ago • 0 comments

We are a German research group investigating the misuse of cryptographic APIs. We found vulnerabilities in symmetricEncryption.java at lines {40, 54}, which can lead to an attack (e.g., Semantic security is broken—identical plaintext blocks produce identical ciphertext blocks, leaking structure and enabling pattern analysis).

This is our result:

    "explanation": "Direct instantiation of IvParameterSpec in encrypt with the provided IV value.",
    "cryptographicObjectType": "IvParameterSpec",
    "codeSnippet": "IvParameterSpec ivps = new IvParameterSpec(iv);",
    "vulnerabilityType": "Insecure",
    "correction": "A constant IV value ('testtesttesttest') is hardcoded. Instead, generate a random IV for each encryption operation (if the chosen mode requires one) and securely transmit or store it alongside the ciphertext.",

A-Amyan avatar Jul 09 '25 11:07 A-Amyan