Insecure GCM IV and Key Usage
Description
The GCM IV and key are generated from the same source, which can lead to insecure encryption. In GCM mode, it is crucial to use a random and unique IV for each encryption operation to prevent attacks.
Examples
Insecure Code
java
byte[] keyBytes = "my_secret_key".getBytes();
GCMParameterSpec gcmParamSpec = new GCMParameterSpec(128, keyBytes);
SecretKeySpec key = new SecretKeySpec(keyBytes, "AES");Secure Code
java
byte[] keyBytes = "my_secret_key".getBytes();
SecureRandom random = new SecureRandom();
byte[] iv = new byte[12];
random.nextBytes(iv);
GCMParameterSpec gcmParamSpec = new GCMParameterSpec(128, iv);
SecretKeySpec key = new SecretKeySpec(keyBytes, "AES");Remediation
Generate a random IV for each encryption operation using a secure random number generator.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0740 |
| Category | Crypto |
| Severity | HIGH |
| CWE | CWE-330 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | encryption, GCM, IV |
| OWASP | N/A |