Usage of ECB cipher mode

• Rule ID: java_lang_weak_encryption_ecb_mode
• Languages: java
• Source: weak_encryption_ecb_mode.yml

Description

The ECB (Electronic Codebook) cipher mode is recognized as insecure and is not recommended for use in cryptographic protocols. This mode does not provide adequate data protection because it encrypts identical plaintext blocks into identical ciphertext blocks, making it vulnerable to pattern analysis. For stronger security, it's essential to use encryption algorithms that have built-in message integrity and do not require a mode of operation to be configured, such as ChaCha20-Poly1305 or, for older applications that do not support this, AES-256-GCM.

Remediations

• Do choose ChaCha20-Poly1305 or AES-256-GCM for encryption. These algorithms include built-in message integrity, offering a more secure alternative to ECB mode.

  Cipher chaChaCipher = Cipher.getInstance("ChaCha20-Poly1305/None/NoPadding");

References

• Java Cipher class

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_weak_encryption_ecb_mode

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_weak_encryption_ecb_mode