java.security — weak hash

Reversible One Way Hash in java.security Package

The Java MessageDigest class provides a number of options for algorithms to hash data. However, some of the hash algorithms are insecure and should not be used. These insecure hash algorithms include MD5 and SHA-1.

The MD5 hash algorithm is a cryptographic hash function that was designed in the early 1990s. MD5 is no longer considered secure, and passwords hashed with MD5 can be easily cracked by attackers.

The SHA-1 hash algorithm is also a cryptographic hash function that was designed in the early 1990s. SHA-1 is no longer considered secure, and passwords hashed with SHA-1 can be easily cracked by attackers.

Example

import java.security.*;

public class MessageDigestMD5 {
    public static void main(String[] args) {
        try {
            MessageDigest md = MessageDigest.getInstance("MD5");
        } catch (NoSuchAlgorithmException e) {
            System.err.println("MD5 hashing algorithm not available.");
        }
    }
}

Example Output

> precli tests/unit/rules/java/stdlib/java_net/examples/MessageDigestMD5.java
⛔️ Error on line 6 in tests/unit/rules/java/stdlib/java_security/examples/MessageDigestMD5.java
JAV002: Use of Weak Hash
The hash function 'MD5' is vulnerable to collision and pre-image attacks.

Remediation

The recommendation is to swap the insecure hashing method to one of the more secure alternatives, SHA-256 or SHA-512.

import java.security.*;

public class MessageDigestSHA256 {
    public static void main(String[] args) {
        try {
            MessageDigest md = MessageDigest.getInstance("SHA-256");
        } catch (NoSuchAlgorithmException e) {
            System.err.println("SHA-256 hashing algorithm not available.");
        }
    }
}

Default Configuration

enabled = true
level = "error"
weak_hashes = [
  "MD2",
  "MD5",
  "SHA",
  "SHA1",
  "SHA-1",
]

See also

Info

• MessageDigest (Java SE & JDK)
• CWE-328: Use of Weak Hash
• NIST Policy on Hash Functions

New in version 0.5.0