Skip to content

Weak Hashing Configuration

What does this mean ?

Weak cryptographic hashes cannot guarantee data integrity and should not be used in security-critical contexts. MD2, MD4, MD5, RIPEMD-160, and SHA-1 are popular cryptographic hash algorithms often used to verify the integrity of messages and other data. However, as recent cryptanalysis research has revealed fundamental weaknesses in these algorithms, they should no longer be used within security-critical contexts.

What can happen ?

Incorrect uses of encryption algorithms may result in sensitive data exposure, key leakage, broken authentication, insecure session, and spoofing attacks.

Recommendation

  • Weak hash/encryption algorithms should not be used such MD5, RC4, DES, Blowfish, SHA1
  • When using AES128 or AES256, the IV (Initialization Vector) must be random and unpredictable.
  • Uses of SSH, CBC mode should not be used.
  • When symmetric encryption algorithm is used, ECB (Electronic Code Book) mode should not be used.

Sample Code

Vulnerable :

var hashProvider1 = new MD5CryptoServiceProvider(); // Sensitive
var hashProvider2 = (HashAlgorithm)CryptoConfig.CreateFromName("MD5"); // Sensitive
var hashProvider3 = new SHA1Managed(); // Sensitive
var hashProvider4 = HashAlgorithm.Create("SHA1"); // Sensitive

Non Vulnerable :

var hashProvider1 = new SHA512Managed(); // Compliant
var hashProvider2 = (HashAlgorithm)CryptoConfig.CreateFromName("SHA512Managed"); // Compliant
var hashProvider3 = HashAlgorithm.Create("SHA512Managed"); // Compliant

Vulnerable :

MessageDigest md = MessageDigest.getInstance("SHA1");  // Sensitive

Non Vulnerable :

MessageDigest md = MessageDigest.getInstance("SHA-512"); // Compliant

Vulnerable :

$password = md5($password); // Sensitive
$password = sha1($password);   // Sensitive

Non Vulnerable :

$password = password_hash($password, PASSWORD_BCRYPT); // Compliant

References