1.3 KiB
Weak/Broken Hash Algorithm
Summary
- A weak or broken hash algorithm was detected. Any usage of MD2, MD4, MD5 or SHA-1 is considered insecure.
- Replace the use of insecure hashing algorithms with more secure alternatives such as an algorithm from the SHA-2 family (SHA256, SHA384, and SHA512).
Details
Hash collisions are computationally feasible for older, weak hash algorithms such as MD2, MD4, MD5, and SHA-1. A hash collision allows an attacker to substitute an alternative input that results in the same hash value. Collision attacks allow attackers to undermine the security of systems using an insecure hash algorithm (e.g., by forging digital signatures, concealing data tampering, or cracking passwords).
Solution
.NET
Replace usages of insecure hash algorithms with System.Security.Cryptography.SHA512Cng
, System.Security.Cryptography.SHA384Cng
, or System.Security.Cryptography.SHA256Cng
.
Python
The use of signers like MD5WithRSAEncryption
in cryptography providers like BouncyCastle is susceptible to collision attacks. See the list of available BouncyCastle signers.
For more information, see CodeQL Python Hash Algorithm Guidance.