62 lines
2.6 KiB
Plaintext
62 lines
2.6 KiB
Plaintext
The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160.
|
|
|
|
|
|
The following APIs are tracked for use of obsolete crypto algorithms:
|
|
|
|
* ``++java.security.AlgorithmParameters++`` (JDK)
|
|
* ``++java.security.AlgorithmParameterGenerator++`` (JDK)
|
|
* ``++java.security.MessageDigest++`` (JDK)
|
|
* ``++java.security.KeyFactory++`` (JDK)
|
|
* ``++java.security.KeyPairGenerator++`` (JDK)
|
|
* ``++java.security.Signature++`` (JDK)
|
|
* ``++javax.crypto.Mac++`` (JDK)
|
|
* ``++javax.crypto.KeyGenerator++`` (JDK)
|
|
* ``++org.apache.commons.codec.digest.DigestUtils++`` (Apache Commons Codec)
|
|
* ``++org.springframework.util.DigestUtils++``
|
|
* ``++com.google.common.hash.Hashing++`` (Guava)
|
|
* ``++org.springframework.security.authentication.encoding.ShaPasswordEncoder++`` (Spring Security 4.2.x)
|
|
* ``++org.springframework.security.authentication.encoding.Md5PasswordEncoder++`` (Spring Security 4.2.x)
|
|
* ``++org.springframework.security.crypto.password.LdapShaPasswordEncoder++`` (Spring Security 5.0.x)
|
|
* ``++org.springframework.security.crypto.password.Md4PasswordEncoder++`` (Spring Security 5.0.x)
|
|
* ``++org.springframework.security.crypto.password.MessageDigestPasswordEncoder++`` (Spring Security 5.0.x)
|
|
* ``++org.springframework.security.crypto.password.NoOpPasswordEncoder++`` (Spring Security 5.0.x)
|
|
* ``++org.springframework.security.crypto.password.StandardPasswordEncoder++`` (Spring Security 5.0.x)
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
val md1: MessageDigest = MessageDigest.getInstance("SHA"); // Sensitive: SHA is not a standard name, for most security providers it's an alias of SHA-1
|
|
val md2: MessageDigest = MessageDigest.getInstance("SHA1"); // Sensitive
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,kotlin]
|
|
----
|
|
val md1: MessageDigest = MessageDigest.getInstance("SHA-512"); // Compliant
|
|
----
|
|
|
|
include::../see-mobile.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|