Contents
V5314. OWASP. Use of an outdated hash algorithm is not recommended.
The analyzer has detected the use of an outdated hash algorithm. These algorithms are considered weak due to their collision issues.
Vulnerabilities stemming from the use of weak encryption algorithms can be categorized under the OWASP Top 10 2021 as follows:
Look at the example:
public String calculateHash(String input) {
MessageDigest digest = null;
try {
digest = MessageDigest.getInstance("MD5");
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
var output = digest.digest(input.getBytes(StandardCharsets.UTF_8));
return Arrays.toString(output);
}When analyzing the code fragment, the analyzer will warn against using the SHA-1 and MD5 algorithms. In this case, the issue with the algorithms lies in their well-known collision problems. Therefore, using them is not recommended.
It is better to replace outdated algorithms with more modern alternatives. In the example above, one possible solution is to replace SHA-1 with SHA-256:
public String calculateHash(String input) {
MessageDigest digest = null;
try {
digest = MessageDigest.getInstance("SHA-256");
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
var output = digest.digest(input.getBytes(StandardCharsets.UTF_8));
return Arrays.toString(output);
}Oracle's website provides documentation on standard implementations of various hash algorithms. For hashing, the Java SE 21 specification includes the following algorithms, which are considered weak by modern standards:
- MD2
- MD5
- SHA1
It is worth noting that the JavaDoc for MessageDigest guarantees the availability of only the SHA-1 and SHA-256 algorithms across all Java platform implementations. In Java versions up to 11, MD5 is also available.
The official OWASP website provides various techniques for testing applications for potential vulnerabilities caused by the use of weak encryption algorithms.
Additional links:
Was this page helpful?
