RSA without padding is insecureJAVA-S1013
This code creates a javax.crypto.Cipher
instance using the RSA algorithm with no padding. This is a security risk, and must be avoided.
Without using a proper padding scheme to "armor" the encrypted ciphertext, RSA encryption can be insecure and may be easily broken.
Secure RSA encryption schemes pad or "armor" the plaintext with securely randomized data to ensure that each plaintext is unique before encryption. Without adding the extra random data, RSA becomes a more basic version known as Textbook RSA, that takes on two undesirable properties:
- It is Malleable - Given a cyphertext c, it is possible to compute c′ ≡ c⋅2^e mod n. Decrypting c′ would result in 2m mod n. In other words, this is a predictable change, which is undesirable in a good encryption algorithm.
- It is Deterministic - The same plaintext when encrypted with the same key will always result in the same ciphertext. Because of this, RSA loses its semantic security.
This can greatly reduce the security provided by encryption and must be avoided.
Bad Practice
Cipher.getInstance("RSA/NONE/NoPadding")
Recommended
Consider using one of the NIST approved OAEP (Optimal Assymmetric Encryption Padding) padding schemes:
Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding")
For more information regarding appropriate padding schemes to use, consult the Java security standard algorithm names specification provided by Oracle.
References
- FindSecBugs - RSA_NO_PADDING
- Java Security Standard Algorithm Names Specification - Cipher Algorithm Paddings
- CWE-780 - Use of RSA Algorithm without OAEP
- Wikipedia - semantic security
- Wikipedia - Optimal Asymmetric Encryption Padding
- Root Labs - Why RSA encryption padding is critical
- OWASP Top Ten (2021) - Category A05 - Security Misconfiguration
- OWASP Top Ten (2021) - Category A02 - Cryptographic Failures