V5613. OWASP. Use of outdated cryptographic algorithm is not recommended.
The analyzer found that an outdated encryption or hashing algorithm is used in the application. Such algorithms may lead to sensitive data exposure, key leakage, broken authentication, etc.
Vulnerabilities associated with insecure cryptographic algorithms can be classified in the following categories of OWASP Top Ten 2017:
Let's consider an example:
private static string CalculateSha1(string text, Encoding enc)
{
var buffer = enc.GetBytes(text);
using var cryptoTransformSha1 = new SHA1CryptoServiceProvider(); // <=
var hash = BitConverter.ToString(cryptoTransformSha1.ComputeHash(buffer))
.Replace("-", string.Empty);
return hash.ToLower();
}
Checking the fragment, the analyzer issues a warning that it is not recommended to use the SHA1 algorithm. It has well-known collision problems. Thus, it's unsafe to use such an algorithm.
Instead of outdated algorithms, you should use modern ones. In the above example, one of the solutions is to replace SHA1 with SHA256:
private static string CalculateSha256(string text, Encoding enc)
{
var buffer = enc.GetBytes(text);
using var cryptoTransformSha256 = new SHA256CryptoServiceProvider();
var hash = BitConverter.ToString(cryptoTransformSha256.ComputeHash(buffer))
.Replace("-", string.Empty);
return hash.ToLower();
}
The Microsoft website provides documentation for standard implementations of cryptographic algorithms. Generally, classes that implement outdated algorithms are marked with a special warning in the documentation. Here are some of them:
It is also not recommended to use classes that inherit ones specified above.
The official OWASP website provides various methods to check an application for potential vulnerabilities associated with insecure encryption algorithms.
This diagnostic is classified as: