Reversible One Way Hash in java.security Package

JAV002

reversible_one_way_hash

CWE-328

⛔️ Error

---

The Java MessageDigest class provides a number of options for algorithms to hash data. However, some of the hash algorithms are insecure and should not be used. These insecure hash algorithms include MD5 and SHA-1.

The MD5 hash algorithm is a cryptographic hash function that was designed in the early 1990s. MD5 is no longer considered secure, and passwords hashed with MD5 can be easily cracked by attackers.

The SHA-1 hash algorithm is also a cryptographic hash function that was designed in the early 1990s. SHA-1 is no longer considered secure, and passwords hashed with SHA-1 can be easily cracked by attackers.

Example

import java.security.*;

public class MessageDigestMD5 {
    public static void main(String[] args) {
        try {
            MessageDigest md = MessageDigest.getInstance("MD5");
        } catch (NoSuchAlgorithmException e) {
            System.err.println("MD5 hashing algorithm not available.");
        }
    }
}

Remediation

The recommendation is to swap the insecure hashing method to one of the more secure alternatives, SHA-256 or SHA-512.

import java.security.*;

public class MessageDigestSHA256 {
    public static void main(String[] args) {
        try {
            MessageDigest md = MessageDigest.getInstance("SHA-256");
        } catch (NoSuchAlgorithmException e) {
            System.err.println("SHA-256 hashing algorithm not available.");
        }
    }
}

False Positives

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (JAV002) or rule category name (reversible_one_way_hash).

Using rule ID

fix

import java.security.*;

public class MessageDigestMD5 {
    public static void main(String[] args) {
        try {
            // suppress: JAV002
            MessageDigest md = MessageDigest.getInstance("MD5");
        } catch (NoSuchAlgorithmException e) {
            System.err.println("MD5 hashing algorithm not available.");
        }
    }
}

Using category name

fix

import java.security.*;

public class MessageDigestMD5 {
    public static void main(String[] args) {
        try {
            // suppress: reversible_one_way_hash
            MessageDigest md = MessageDigest.getInstance("MD5");
        } catch (NoSuchAlgorithmException e) {
            System.err.println("MD5 hashing algorithm not available.");
        }
    }
}

See also

info

• MessageDigest (Java SE & JDK)
• CWE-328: Use of Weak Hash
• NIST Policy on Hash Functions