crypto — weak hash

Reversible One Way Hash in crypto Package

The Go crypto package provides a number of functions for hashing data. However, some of the hash algorithms supported by hashlib are insecure and should not be used. These insecure hash algorithms include MD5 and SHA-1.

The MD5 hash algorithm is a cryptographic hash function that was designed in the early 1990s. MD5 is no longer considered secure, and passwords hashed with MD5 can be easily cracked by attackers.

The SHA-1 hash algorithm is also a cryptographic hash function that was designed in the early 1990s. SHA-1 is no longer considered secure, and passwords hashed with SHA-1 can be easily cracked by attackers.

Example

package main

import (
    "crypto/md5"
    "fmt"
)

func main() {
    h := md5.New()
    h.Write([]byte("hello world\n"))
    fmt.Printf("%x", h.Sum(nil))
}

Example Output

> precli tests/unit/rules/go/stdlib/crypto/examples/crypto_weak_hash_md5_new.go
⛔️ Error on line 9 in tests/unit/rules/go/stdlib/crypto/examples/crypto_weak_hash_md5_new.go
GO002: Use of Weak Hash
Use of weak hash function 'crypto/md5.New' does not meet security expectations.

Remediation

The recommendation is to swap the insecure hashing method to one of the more secure alternatives, sha256 or sha512.

package main

import (
    "crypto/sha256"
    "fmt"
)

func main() {
    h := sha256.New()
    h.Write([]byte("hello world\n"))
    fmt.Printf("%x", h.Sum(nil))
}

Default Configuration

enabled = true
level = "error"

See also

Info

• md5 package - crypto_md5 - Go Packages
• sha1 package - crypto_sha1 - Go Packages
• CWE-328: Use of Weak Hash
• NIST Policy on Hash Functions

New in version 0.2.1