Insecure Encryption Algorithm - SHA1

Need

To secure the information transmitted between the client and the server using cryptographically secure algorithms.

Context

Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
Usage of Plug (1.11.1 and above) for building composable web applications in Elixir
Usage of Plug.Crypto for cryptographic operations (version 1.2.0 and above)

Description

Non compliant code

defmodule MyApp.Encryption do
  def generate_hash(data) do
    :crypto.hash(:sha, data)
  end
end

This code is vulnerable because it uses the SHA1 encryption algorithm which is considered insecure. It could allow an attacker to reverse a summary function to find sensitive information.

Steps

Replace the insecure SHA1 algorithm with a secure one like SHA256 or SHA3.
Ensure to use the appropriate hash function based on the encryption algorithm.

Compliant code

defmodule MyApp.Encryption do
  def generate_hash(data) do
    :crypto.hash(:sha256, data)
  end
end

In this secure code example, we've replaced the SHA1 encryption algorithm with SHA256, which is considered secure. This will effectively mitigate the risks associated with SHA1.

References

262.Insecure encryption algorithm - SHA1

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​