46 lines
1.5 KiB
Plaintext
46 lines
1.5 KiB
Plaintext
=== on 30 Sep 2014, 15:06:51 Ann Campbell wrote:
|
|
\[~nicolas.peru] please review
|
|
|
|
=== on 30 Sep 2014, 15:49:55 Nicolas Peru wrote:
|
|
Reviewed, corrected typo and update example.
|
|
|
|
=== on 12 Oct 2014, 17:28:38 Freddy Mallet wrote:
|
|
@Ann, I would make this rule also prevent use of MD5 which is even less secured than SHA-1.
|
|
|
|
|
|
The title of this rule could then become :
|
|
|
|
* Unsecured SHA-1 and MD5 hash algorithms should not be used
|
|
|
|
The Non Compliant Code Example could be :
|
|
|
|
----
|
|
MessageDigest md = MessageDigest.getInstance("SHA-1");
|
|
String text = "This is some text";
|
|
md.update(text.getBytes("UTF-8"));
|
|
byte[] digest = md.digest();
|
|
----
|
|
|
|
And in Java, replacing SHA-1 by SHA-256 is an available remediation action.
|
|
|
|
=== on 12 Dec 2014, 20:53:33 Sébastien Gioria wrote:
|
|
It's not only MD5, but all the MD-series algorithms who are not safe
|
|
|
|
|
|
|
|
=== on 15 Dec 2014, 15:04:34 Ann Campbell wrote:
|
|
Thanks [~sebastien.gioria]. Updated.
|
|
|
|
=== on 30 Aug 2018, 17:53:57 Andrei Epure wrote:
|
|
This list should also contain HAVAL-128
|
|
|
|
|
|
Also, according to http://valerieaurora.org/hash.html[this graph], RIPEMD-160 has not been found to have collisions and is in the same bucket with SHA-2 family algorithms - so it should be replaced in the list with RIPEMD-128 (which has been broken)
|
|
|
|
=== on 20 May 2020, 15:26:37 Eric Therond wrote:
|
|
Deprecated by S4790:
|
|
|
|
* we cannot guess the context where the weak hash function is used, so it's better to raise an hotspot
|
|
* we cannot maintain two rules on exactly the same subject
|
|
|