Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2257

Using non-standard cryptographic algorithms is security-sensitive

    Details

    • Message:
      Make sure using a non-standard cryptographic algorithm is safe here.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C#, C, C++, PHP
    • Covered Languages:
      Java
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      1d
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-327
    • OWASP:
      A3
    • SANS Top 25:
      Porous Defenses
    • FindSecBugs:
      CUSTOM_MESSAGE_DIGEST

      Description

      The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Standard algorithms like SHA-256, SHA-384, SHA-512, ... should be used instead.

      This rule tracks creation of java.security.MessageDigest subclasses.

      Recommended Secure Coding Practices

      • use a standard algorithm instead of creating a custom one.

      Noncompliant Code Example

      MyCryptographicAlgorithm extends MessageDigest {
        ...
      }
      

      See

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              freddy.mallet Freddy Mallet (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: