Use of a Broken or Risky Cryptographic Algorithm

  • Rule ID: go_gosec_blocklist_sha1
  • Languages: go
  • Source: sha1.yml

Description

The SHA-1 hashing algorithm is no longer considered secure against well-funded attackers. It is vulnerable to collision attacks, which means it's possible to generate two different inputs that result in the same SHA-1 hash, undermining the hash's uniqueness and security. Due to these vulnerabilities, it is advised to discontinue using SHA-1 for cryptographic security.

Remediation

When choosing a hashing algorithm for cryptographic purposes, it's important to select one that is resistant to collisions and other attack vectors. SHA-3 and BLAKE2 are both excellent choices for non-password-based hashing requirements due to their strong cryptographic properties.

✅ For General Hashing Needs, Use SHA-3 or BLAKE2

Choose SHA-3 or BLAKE2 for their resistance to known hash attack vectors, ensuring the integrity and uniqueness of your data fingerprints.

✅ For Password Hashing, Prefer bcrypt or Argon2id

For password hashing specifically, bcrypt or Argon2id are recommended. These algorithms are designed to be computationally intensive, which helps protect against brute-force attacks.

❌ Discontinue Using SHA-1 for Security Purposes

Given its vulnerabilities, avoid using SHA-1 in any security context to prevent potential collision attacks.

The code snippet provided is unrelated to the hashing algorithms and seems to be a continuation of the previous examples for encryption with AES-256. Ensure your hashing and encryption strategies are correctly implemented as per their intended use-cases.

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_blocklist_sha1

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_blocklist_sha1

Ready to take the next step? Learn more about Bearer Cloud.