i2p.i2p icon indicating copy to clipboard operation
i2p.i2p copied to clipboard
verified publisher icon i2p

Insecure use of (Hard-coded keys: embedding AES key) in CryptixAESEngine.java

Open A-Amyan opened this issue 5 months ago • 0 comments

We are a German research group investigating the misuse of cryptographic APIs. We found vulnerabilities in CryptixAESEngine.java at line {52}, which can lead to an attack (e.g., Key extraction via static analysis, Key extraction via dynamic analysis, Universal compromise, no forward secrecy, Known-key forgery, Replay attacks, Supply-chain exposure).

This is our result:

    "explanation": "Direct instantiation of SecretKeySpec to create a constant zero AES key.",
    "cryptographicObjectType": "SecretKeySpec",
    "codeSnippet": "private static final SecretKeySpec ZERO_KEY = new SecretKeySpec(new byte[32], \"AES\");",
    "vulnerabilityType": "Insecure",
    "correction": "Avoid using a hardcoded, constant key. Instead of using a constant zero-filled key, generate keys dynamically or use a secure key management system. If this key is only used to reset cipher state in a caching mechanism, ensure that it cannot be confused with a real encryption key.",

A-Amyan avatar Jul 09 '25 12:07 A-Amyan