SHA-1 is a weak hash function
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
ID: java-security/weak-message-digest-sha1
Language: Java
Severity: Warning
Category: Security
CWE: 328
Description
SHA-1 may only be used for digital signature generation where specifically allowed by NIST protocol-specific guidance. For all other applications, _SHA-1 shall not be used for digital signature generation. For digital signature verification, _SHA-1 is allowed for legacy-use.
Datadog recommends using the following protocols: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.
Learn More
Non-Compliant Code Examples
public class MyClass {
public byte[] test(String password) {
byte[] hashValue = DigestUtils.getSha1Digest().digest(password.getBytes());
return hashValue;
}
}
public class MyClass {
public void myMethod1() {
MessageDigest md5Digest = MessageDigest.getInstance("SHA1");
md5Digest.update(password.getBytes());
byte[] hashValue = md5Digest.digest();
}
public void myMethod2() {
MessageDigest md5Digest = java.security.MessageDigest.getInstance("SHA1", "SUN");
md5Digest.update(password.getBytes());
byte[] hashValue = md5Digest.digest();
}
}
Compliant Code Examples
public class MyClass {
public static byte[] getEncryptedPassword(String password, byte[] salt) throws NoSuchAlgorithmException, InvalidKeySpecException {
PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(new SHA256Digest());
gen.init(password.getBytes("UTF-8"), salt.getBytes(), 4096);
return ((KeyParameter) gen.generateDerivedParameters(256)).getKey();
}
public static byte[] getEncryptedPassword(String password, byte[] salt) throws NoSuchAlgorithmException, InvalidKeySpecException {
KeySpec spec = new PBEKeySpec(password.toCharArray(), salt, 4096, 256 * 8);
SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
return f.generateSecret(spec).getEncoded();
}
}
