Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2070

SHA-1 and Message-Digest hash algorithms should not be used in secure contexts

    Details

    • Message:
      Use a stronger hashing algorithm than xxx.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Targeted languages:
      ABAP, C, C++, Go, JavaScript, Kotlin, Objective-C, Python, Ruby, Scala, TypeScript, VB.Net
    • Covered Languages:
      C#, Java, PHP, PL/SQL, Swift, T-SQL
    • Irrelevant for Languages:
      Cobol, CSS, Flex, HTML, PL/I, RPG, Solidity, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-328, CWE-327
    • OWASP:
      A6
    • SANS Top 25:
      Porous Defenses
    • FindSecBugs:
      WEAK_MESSAGE_DIGEST_MD5, WEAK_MESSAGE_DIGEST_SHA1
    • Fortify:
      weak_cryptographic_hash
    • MSFT Roslyn:
      CA5351

      Description

      The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160.

      Consider using safer alternatives, such as SHA-256, SHA-512 or SHA-3.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-2071 Language-Specification Active Unassigned
          2.
          C# RSPEC-2853 Language-Specification Active Unassigned
          3.
          PHP RSPEC-4672 Language-Specification Active Unassigned
          4.
          PL/SQL RSPEC-4673 Language-Specification Active Unassigned
          5.
          Python RSPEC-4674 Language-Specification Active Unassigned
          6.
          T-SQL RSPEC-4675 Language-Specification Active Unassigned
          7.
          Swift RSPEC-4677 Language-Specification Active Unassigned
          8.
          JavaScript RSPEC-4678 Language-Specification Active Unassigned
          9.
          C-Family RSPEC-4681 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: