Greetings fellows
I just found something in a code. Aes in insecure mode
Cipher cipher;
cipher = Cipher.getInstance(“AES”);
So the issue here is the insecure mode depends of the Java version is used ? or it can apply any version, the latest versions are insecure too ?
thanks for your help and clarification
Hi you there @elated-colden
I don’t completely understand your question, it doesn’t matter the version of the lenguage you are using, you could use java, c#, javascript, etc. to make the cryptographic configuration.
In case you’re asking if AES is insecure or not, I would say it depends on the configuration itself. For example, you should verify if AES128 (or any implementation with a block size of less than 256-bits) is used to do financial transactions, if the iv isn’t random enough or if there are insecure modes being used, such as ECB or CBC.
If any of these features apply to your case, then you could say that the cryptographic alghorithm is insecure.
You can check these links from OWASP: Guide to Cryptography, specially the “Symmetric Cryptography” and “How to protect yourself” sections, where you’ll find some recommendations to configure symmetric algorithms and Secure Cryptographic Storage Design where you will find some rules to apply over AES and other alghorithms.