insecure-crypto-algorithm¶
Ensure usage of secure cryptograhic alogrithms
Many cryptographic algorithms and protocols should not be used because they have been shown to have significant weaknesses or are otherwise insufficient for modern security requirements. Relying on such insecure cryptographic algorithm when used as part of digital signature schems or for providing confidentialy of sensitive information is an unnecessary risk.
The following algorithms are considered insecure (non-exhaustive list):
RC2,RC4MD2,MD4,MD5SHA1DESRC4IDEABlowfish
Whenever possible, always prefer modern cryptographic algorithms such as:
SHA256/SHA512SHA3AES
Examples¶
Insecure Example
import hashlib
m = hashlib.md5()
m.update(b"message for cryptographic signature")
print(m.digest())
###
from cryptography.hazmat.primitives import hashes
digest = hashes.Hash(hashes.MD5())
digest.update(b"abc")
print(digest.finalize())
require 'digest'
md5 = Digest::MD5.new
md5.update "Hello"
md5.update " World"
puts md5.hexdigest
###
require 'openssl'
key = "secret-key"
data = "some data to be signed"
puts OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('md5'), key, data)
Secure Example
import hashlib
m = hashlib.sha3_256()
m.update(b"message for cryptographic signature")
print(m.digest())
from cryptography.hazmat.primitives import hashes
digest = hashes.Hash(hashes.SHA3_256())
digest.update(b"abc")
print(digest.finalize())
require 'digest' # You may want to look at OpenSSL::Digest as it supports more algorithms.
md5 = Digest::SHA256.new
md5.update "Hello"
md5.update " World"
puts md5.hexdigest
###
require 'openssl'
key = "secret-key"
data = "some data to be signed"
puts OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('sha3-256'), key, data)