[RSPEC-2257] Using non-standard cryptographic algorithms is security-sensitive - SonarSource

Details

Type: Security Hotspot Detection
Status: Active
Resolution: Unresolved
Labels:

Message:
Make sure using a non-standard cryptographic algorithm is safe here.
Default Severity:
Critical
Impact:
High
Likelihood:
Low
Default Quality Profiles:

Sonar way
Targeted languages:

C#, C, C++, PHP
Covered Languages:

Java
Remediation Function:
Constant/Issue
Constant Cost:
1d
Analysis Scope:

Main Sources
Common Rule:

Yes

CWE:
CWE-327
OWASP:
A3
SANS Top 25:
Porous Defenses

FindSecBugs:
CUSTOM_MESSAGE_DIGEST

Description

The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Standard algorithms like SHA-256, SHA-384, SHA-512, ... should be used instead.

This rule tracks creation of java.security.MessageDigest subclasses.

Recommended Secure Coding Practices

use a standard algorithm instead of creating a custom one.

Noncompliant Code Example

MyCryptographicAlgorithm extends MessageDigest {
  ...
}

See

OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
SANS Top 25 - Porous Defenses
Derived from FindSecBugs rule MessageDigest is Custom

Attachments

Activity

People

Assignee:

Unassigned

Reporter:

Freddy Mallet (Inactive)

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

03/Dec/14 3:18 PM

Updated:

06/May/19 9:22 PM