insecure-crypto-algorithm¶
Ensure usage of secure cryptograhic alogrithms
Many cryptographic algorithms and protocols should not be used because they have been shown to have significant weaknesses or are otherwise insufficient for modern security requirements. Relying on such insecure cryptographic algorithm when used as part of digital signature schems or for providing confidentialy of sensitive information is an unnecessary risk.
The following algorithms are considered insecure (non-exhaustive list):
RC2
,RC4
MD2
,MD4
,MD5
SHA1
DES
RC4
IDEA
Blowfish
Whenever possible, always prefer modern cryptographic algorithms such as:
SHA256
/SHA512
SHA3
AES
Examples¶
Insecure Example
import hashlib
m = hashlib.md5()
m.update(b"message for cryptographic signature")
print(m.digest())
###
from cryptography.hazmat.primitives import hashes
digest = hashes.Hash(hashes.MD5())
digest.update(b"abc")
print(digest.finalize())
require 'digest'
md5 = Digest::MD5.new
md5.update "Hello"
md5.update " World"
puts md5.hexdigest
###
require 'openssl'
key = "secret-key"
data = "some data to be signed"
puts OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('md5'), key, data)
Secure Example
import hashlib
m = hashlib.sha3_256()
m.update(b"message for cryptographic signature")
print(m.digest())
from cryptography.hazmat.primitives import hashes
digest = hashes.Hash(hashes.SHA3_256())
digest.update(b"abc")
print(digest.finalize())
require 'digest' # You may want to look at OpenSSL::Digest as it supports more algorithms.
md5 = Digest::SHA256.new
md5.update "Hello"
md5.update " World"
puts md5.hexdigest
###
require 'openssl'
key = "secret-key"
data = "some data to be signed"
puts OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('sha3-256'), key, data)