Avoid weak hash algorithms.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: elixir-security/weak-hash-algorithms

Language: Elixir

Severity: Error

Category: Security

CWE: 328

Description

Avoid unsecured hash algorithms, as they may lead to data leaks. Use safe and proven hash algorithms.

Learn More

Non-Compliant Code Examples

# The hash functions with md5, sha1, ripemd (128-bit), and sha should be highlighted,
# as they are cryptographically weak and can be easily broken.
defmodule InsecureHashExample do
  # Insecure hash function using MD5
  defp insecure_hash_one(data) do
  # check this
    :cr.hash(data, :md5) |> Base.encode16(case: :lower)
  end
  # Insecure hash function using sha1
  defp insecure_hash_one(data) do
    # validate spacing 
    :crypto.hash(data, :sha1) |> Base.encode16(case: :lower)
  end

# Spacing does not matter
:crypto. hash(:md5, data)

hex = Base.encode16(:crypto. hash(:ripemd160, data))

Compliant Code Examples

# The hash functions other than md5, sha1, ripemd (128-bit), and sha are not highlighted
# as they are cryptographically strong and cannot be broken with standard hardware.
defmodule PasswordCompare do
  def option_one(password, md5_hash) do
    case :crypto.hash(:sha2, password) == md5_hash do
      true -> :entry_granted_op1
      false -> :entry_denied_op1
    end
  end
end
a = :crypto.hash(:sha3, something)