Potential usage of DES, RC4, MD5 or SHA1 GSC-G401
Security
Major
a05
a02
cwe-326
owasp top 10
DES, RC4, MD5, and SHA1 are relatively weak encryption/hashing algorithms. Consider using a more secure alternative.
Go's official documentation also warns against the usage of DES, RC4, MD5 and SHA1.
Most common alternatives for the insecure algorithms:
- Use AES instead of DES/3DES
- Use SHA512 instead of MD5
- Use SHA512 instead of SHA1
- Use AES-128-256 instead of RC4
Although, we recommend doing some initial research before using any encryption/hashing algorithm to determine which is best for your use case.
Bad practice
package main
import (
"crypto/sha1"
"fmt"
"io"
"log"
"os"
)
func main() {
f, err := os.Open("file.txt")
if err != nil {
log.Fatal(err)
}
defer f.Close()
h := sha1.New()
if _, err := io.Copy(h, f); err != nil {
log.Fatal(err)
}
fmt.Printf("%x", h.Sum(nil))
}
Recommended
package main
import (
"crypto/sha512"
"fmt"
"io"
"log"
"os"
)
func main() {
f, err := os.Open("file.txt")
if err != nil {
log.Fatal(err)
}
defer f.Close()
h := sha512.New()
if _, err := io.Copy(h, f); err != nil {
log.Fatal(err)
}
fmt.Printf("%x", h.Sum(nil))
}