Hi, I am currently looking into projects on github which are parametrically misusing cryptographic APIs for my research and I came across a few instances in your project where I found such misuses. These misuses have been highlighted in research papers such as
In your source code file DES.java there are following issues in encrypt(String, String):
AlgorithmParameterSpec paramSpec = new IvParameterSpec(IV_PARAMS_BYTES);;
The first parameter should be properly randomized using java.security.SecureRandom API.
Cipher cipher = Cipher.getInstance(ALGORITHM_DES);
The first parameter (with value "DES/CBC/PKCS5Padding") should be any of {AES, Blowfish, DESede, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA224AndAES_256, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_256, PBEWithHmacSHA512AndAES_256, RSA}
cipher.init(Cipher.ENCRYPT_MODE, secretKey,paramSpec);
since "paramSpec" was not properly prepared due to the absence of randomzation therefore, here cipher.init() call is compromised as well. Same issues were found in the function "decrypt(String, String)"
Next in your source code file AES.java we found following misuses:
Cipher cipher = Cipher.getInstance("AES");
First parameter (with value "AES") should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB}
Next in your source code file SHA1.java we found following misuses:
MessageDigest md = MessageDigest.getInstance("SHA-1");
First parameter (with value "SHA-1") should be any of {SHA-256, SHA-384, SHA-512}
Then in your source code file DigestUtils.java we found following misuses:
MessageDigest md = MessageDigest.getInstance(MD5_NAME);
First parameter (with value "MD5") should be any of {SHA-256, SHA-384, SHA-512}
I believe fixing these issues would help your product be more secure.