SV.WEAK.CRYPT
Use of a Broken or Risky Cryptographic Algorithm
The purpose of the checker is detection of risky/broken/deprecated crypto functionality.
The checker detects the code containing well known weak implementations or use of crypto APIs or libraries. The checker reports defects on usages of algorithms "MD2", "MD4", "MD5", "SHA", "SHA1", "SHA-1”.
Vulnerability and risk
When sensitive data is not protected sufficiently, it can lead to loss of the secrecy or integrity of the data. DES encryption can be cracked using brute-force attacks. The MD5-based algorithm is slightly more secure, so it's preferred over the DES-based algorithm, but even the newer SHA-1 algorithm has been cracked. Hash algorithms like the SHA-256 and SHA-512, which are approved by Federal Information Processing Standards (FIPS), are considered more secure. It's important to use a cryptographic algorithm that is currently considered to be the best by experts in the field.
Vulnerable code example 1
public static UUID nameUUIDFromBytes (byte[] name) {
try {
MessageDigest md = MessageDigest.getInstance("MD5");
return make Uuid(md.digest(name), 3);
} catch (NoSuchAlgorithmException e) {
throw new AssertionError(e);
}
}SV.WEAK.CRYPT reports defect on the line 3.
Fixed code example 1
public static UUID name UUIDFromBytes (byte[] name) {
try {
MessageDigest md = MessageDigest.getinstance("SHA-256");
return makeUuid(md.digest(name), 3);
} catch (NoSuchAlgorithmException e) {
throw new AssertionError(e);
}
}After changing message-digest algorithm to more secure SHA-256, the issue is gone.
Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.
