Use of a Broken or Risky Cryptographic Algorithm
- Rule ID: go_gosec_blocklist_sha1
- Languages: go
- Source: sha1.yml
Description
The SHA-1 hashing algorithm is no longer considered secure against well-funded attackers. It is vulnerable to collision attacks, which means it's possible to generate two different inputs that result in the same SHA-1 hash, undermining the hash's uniqueness and security. Due to these vulnerabilities, it is advised to discontinue using SHA-1 for cryptographic security.
Remediation
When choosing a hashing algorithm for cryptographic purposes, it's important to select one that is resistant to collisions and other attack vectors. SHA-3 and BLAKE2 are both excellent choices for non-password-based hashing requirements due to their strong cryptographic properties.
✅ For General Hashing Needs, Use SHA-3 or BLAKE2
Choose SHA-3 or BLAKE2 for their resistance to known hash attack vectors, ensuring the integrity and uniqueness of your data fingerprints.
✅ For Password Hashing, Prefer bcrypt or Argon2id
For password hashing specifically, bcrypt or Argon2id are recommended. These algorithms are designed to be computationally intensive, which helps protect against brute-force attacks.
❌ Discontinue Using SHA-1 for Security Purposes
Given its vulnerabilities, avoid using SHA-1 in any security context to prevent potential collision attacks.
The code snippet provided is unrelated to the hashing algorithms and seems to be a continuation of the previous examples for encryption with AES-256. Ensure your hashing and encryption strategies are correctly implemented as per their intended use-cases.
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=go_gosec_blocklist_sha1To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=go_gosec_blocklist_sha1Ready to take the next step? Learn more about Bearer Cloud.