BerylEnigma icon indicating copy to clipboard operation
BerylEnigma copied to clipboard
verified publisher icon ffffffff0x

Insecure use of (Hard-coded keys: embedding key material) in symmetricEncryption.java

Open A-Amyan opened this issue 5 months ago • 0 comments

We are a German research group investigating the misuse of cryptographic APIs. We found vulnerabilities in symmetricEncryption.java at lines {36, 50}, which can lead to an attack (e.g., Trivial brute-forcing or dictionary attacks on the key material).

This is our result:

    "explanation": "Direct instantiation of SecretKeySpec in decrypt; the algorithm is derived by splitting cipherInstance (resulting in \"AES\").",
    "cryptographicObjectType": "SecretKeySpec",
    "codeSnippet": "SecretKeySpec keySpec = new SecretKeySpec(key, cipherInstance.split(\"/\")[0]);",
    "vulnerabilityType": "Insecure",
    "correction": "Using a hardcoded key ('1234567890abcdef1234567890abcdef') in the decryption routine is insecure. Adopt a secure key management mechanism to avoid embedding secret keys directly in the source code.",

A-Amyan avatar Jul 09 '25 11:07 A-Amyan