Insecure Encryption Algorithm - SHA1
Need
To secure the information transmitted between the client and the server using cryptographically secure algorithms.
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Plug (1.11.1 and above) for building composable web applications in Elixir
- Usage of Plug.Crypto for cryptographic operations (version 1.2.0 and above)
Description
Non compliant code
defmodule MyApp.Encryption do
def generate_hash(data) do
:crypto.hash(:sha, data)
end
end
This code is vulnerable because it uses the SHA1 encryption algorithm which is considered insecure. It could allow an attacker to reverse a summary function to find sensitive information.
Steps
- Replace the insecure SHA1 algorithm with a secure one like SHA256 or SHA3.
- Ensure to use the appropriate hash function based on the encryption algorithm.
Compliant code
defmodule MyApp.Encryption do
def generate_hash(data) do
:crypto.hash(:sha256, data)
end
end
In this secure code example, we've replaced the SHA1 encryption algorithm with SHA256, which is considered secure. This will effectively mitigate the risks associated with SHA1.