Usage of ECB Cipher Mode

Overview

• Rule ID: Rule ID: java_lang_weak_encryption_ecb_mode

• Applicable Languages: Java

• Weakness ID: CWE-327

Description

The ECB (Electronic Codebook) cipher mode is considered insecure and should not be used in cryptographic protocols. It encrypts identical plaintext blocks into identical ciphertext blocks, making it susceptible to pattern analysis and inadequate for data protection. For stronger security, use encryption algorithms with built-in message integrity and no need for a configurable mode of operation, such as ChaCha20-Poly1305. For older applications that do not support these newer algorithms, AES-256-GCM is a recommended alternative.

Remediation Guidelines

• Do choose ChaCha20-Poly1305 or AES-256-GCM for encryption. These algorithms include built-in message integrity, offering a more secure alternative to ECB mode.

  Copy

  Cipher chaChaCipher = Cipher.getInstance("ChaCha20-Poly1305/None/NoPadding");

References

• Java Cipher class

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

• OWASP Top 10: A02:2021 - Cryptographic Failuresn

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL