46 lines
1.5 KiB
Plaintext
46 lines
1.5 KiB
Plaintext
|
=== On 2014-09-30T15:06:51Z Ann Campbell Wrote:
|
||
|
|
\[~nicolas.peru] please review
|
||
|
|
|
||
|
|
=== On 2014-09-30T15:49:55Z Nicolas Peru Wrote:
|
||
|
|
Reviewed, corrected typo and update example.
|
||
|
|
|
||
|
|
=== On 2014-10-12T17:28:38Z Freddy Mallet Wrote:
|
||
|
|
@Ann, I would make this rule also prevent use of MD5 which is even less secured than SHA-1.
|
||
|
|
|
||
|
|
|
||
|
|
The title of this rule could then become :
|
||
|
|
|
||
|
|
* Unsecured SHA-1 and MD5 hash algorithms should not be used
|
||
|
|
|
||
|
|
The Non Compliant Code Example could be :
|
||
|
|
|
||
|
|
----
|
||
|
|
MessageDigest md = MessageDigest.getInstance("SHA-1");
|
||
|
|
String text = "This is some text";
|
||
|
|
md.update(text.getBytes("UTF-8"));
|
||
|
|
byte[] digest = md.digest();
|
||
|
|
----
|
||
|
|
|
||
|
|
And in Java, replacing SHA-1 by SHA-256 is an available remediation action.
|
||
|
|
|
||
|
|
=== On 2014-12-12T20:53:33Z Sébastien Gioria Wrote:
|
||
|
|
It's not only MD5, but all the MD-series algorithms who are not safe
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
=== On 2014-12-15T15:04:34Z Ann Campbell Wrote:
|
||
|
|
Thanks [~sebastien.gioria]. Updated.
|
||
|
|
|
||
|
|
=== On 2018-08-30T17:53:57Z Andrei Epure Wrote:
|
||
|
|
This list should also contain HAVAL-128
|
||
|
|
|
||
|
|
|
||
|
|
Also, according to http://valerieaurora.org/hash.html[this graph], RIPEMD-160 has not been found to have collisions and is in the same bucket with SHA-2 family algorithms - so it should be replaced in the list with RIPEMD-128 (which has been broken)
|
||
|
|
|
||
|
|
=== On 2020-05-20T15:26:37Z Eric Therond Wrote:
|
||
|
|
Deprecated by S4790:
|
||
|
|
|
||
|
|
* we cannot guess the context where the weak hash function is used, so it's better to raise an hotspot
|
||
|
|
* we cannot maintain two rules on exactly the same subject
|
||
|
|
|