DevSkim/guidance/DS126858.md

1.3 KiB

Weak/Broken Hash Algorithm

Summary

  • A weak or broken hash algorithm was detected. Any usage of MD2, MD4, MD5 or SHA-1 is considered insecure.
  • Replace the use of insecure hashing algorithms with more secure alternatives such as an algorithm from the SHA-2 family (SHA256, SHA384, and SHA512).

Details

Hash collisions are computationally feasible for older, weak hash algorithms such as MD2, MD4, MD5, and SHA-1. A hash collision allows an attacker to substitute an alternative input that results in the same hash value. Collision attacks allow attackers to undermine the security of systems using an insecure hash algorithm (e.g., by forging digital signatures, concealing data tampering, or cracking passwords).

Solution

.NET

Replace usages of insecure hash algorithms with System.Security.Cryptography.SHA512Cng, System.Security.Cryptography.SHA384Cng, or System.Security.Cryptography.SHA256Cng.

Python

The use of signers like MD5WithRSAEncryption in cryptography providers like BouncyCastle is susceptible to collision attacks. See the list of available BouncyCastle signers.

For more information, see CodeQL Python Hash Algorithm Guidance.