Audit required: Insecure hash function SC-A1001
Security
Major
D2, MD4, MD5, SHA1 signature algorithms are known to be vulnerable to [collision attacks[(https://en.wikipedia.org/wiki/Collision_attack). Attackers can exploit this to generate another certificate with the same digital signature, allowing them to masquerade as the affected service.
A hash function takes a variable-length digital input and coverts it into a fixed-length random hash value.
Hashing algorithms like MD5 and SHA-1 are vulnerable to collision attacks. In a collision attack, an attacker finds two messages with the same hashed output and sends the incorrect one to the receiver.
It is recommended to use safer alternatives, such as SHA-256, SHA-512, SHA-3.
References:
- OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
- OWASP Top 10 2017 Category A6 - Security misconfiguration
- CWE 327 - Use of a Broken or Risky Cryptographic Algorithm
- Breaking MD5 and other hash functions