Use of RSA Algorithm without OAEP
Description
The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.
Examples
Insecure Code
scala
javax.crypto.Cipher.getInstance("RSA/ECB/NoPadding")Secure Code
scala
javax.crypto.Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding")Remediation
Use RSA with OAEP, such as RSA/ECB/OAEPWithSHA-256AndMGF1Padding
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0028 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-780 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | encryption, cryptographic failures |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |