MD2, MD4, and MD5 are weak hash functions このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください 。
このルールを試す ID: java-security/weak-message-digest-md5
Language: Java
Severity: Warning
Category: Security
CWE : 328
Description The security of the MD5 hash function is severely compromised. A collision attack exists that can find collisions within seconds on a computer with a 2.6 GHz Pentium 4 processor. Further, there is also a chosen-prefix collision attack that can produce a collision for two inputs with specified prefixes within hours, using off-the-shelf computing hardware.
Learn More Non-Compliant Code Examples public class MyClass {
public void myMethod1 () {
MessageDigest md5Digest = MessageDigest . getInstance ( "MD5" );
md5Digest . update ( password . getBytes ());
byte [] hashValue = md5Digest . digest ();
}
public void myMethod2 () {
MessageDigest md5Digest = java . security . MessageDigest . getInstance ( "MD5" );
md5Digest . update ( password . getBytes ());
byte [] hashValue = md5Digest . digest ();
}
}
Compliant Code Examples public class MyClass {
public static byte [] getEncryptedPassword ( String password , byte [] salt ) throws NoSuchAlgorithmException , InvalidKeySpecException {
PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator ( new SHA256Digest ());
gen . init ( password . getBytes ( "UTF-8" ), salt . getBytes (), 4096 );
return (( KeyParameter ) gen . generateDerivedParameters ( 256 )). getKey ();
}
}
Seamless integrations. Try Datadog Code Analysis