Reversible One Way Hash in crypto Package

GO002

reversible_one_way_hash

CWE-328

⛔️ Error

---

The Go crypto package provides a number of functions for hashing data. However, some of the hash algorithms supported by hashlib are insecure and should not be used. These insecure hash algorithms include MD5 and SHA-1.

The MD5 hash algorithm is a cryptographic hash function that was designed in the early 1990s. MD5 is no longer considered secure, and passwords hashed with MD5 can be easily cracked by attackers.

The SHA-1 hash algorithm is also a cryptographic hash function that was designed in the early 1990s. SHA-1 is no longer considered secure, and passwords hashed with SHA-1 can be easily cracked by attackers.

Examples

package main

import (
    "crypto/md5"
    "fmt"
)

func main() {
    h := md5.New()
    h.Write([]byte("hello world\n"))
    fmt.Printf("%x", h.Sum(nil))
}

Remediation

The recommendation is to swap the insecure hashing method to one of the more secure alternatives, sha256 or sha512.

package main

import (
    "crypto/sha256"
    "fmt"
)

func main() {
    h := sha256.New()
    h.Write([]byte("hello world\n"))
    fmt.Printf("%x", h.Sum(nil))
}

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (GO002) or rule category name (reversible_one_way_hash).

Using rule ID

fix

package main

import (
    "crypto/md5"
    "fmt"
)

func main() {
    // suppress: GO002
    h := md5.New()
    h.Write([]byte("hello world\n"))
    fmt.Printf("%x", h.Sum(nil))
}

Using category name

fix

package main

import (
    "crypto/md5"
    "fmt"
)

func main() {
    // suppress: reversible_one_way_hash
    h := md5.New()
    h.Write([]byte("hello world\n"))
    fmt.Printf("%x", h.Sum(nil))
}

See also

info

• md5 package - crypto_md5 - Go Packages
• sha1 package - crypto_sha1 - Go Packages
• CWE-328: Use of Weak Hash
• NIST Policy on Hash Functions