617
618 @staticmethod
619 def get_template_key(name: str) -> str:
620 return "tmpl_" + sha1(name.encode("utf-8")).hexdigest()621
622 @staticmethod
623 def get_module_filename(name: str) -> str:160
161 def get_source_checksum(self, source: str) -> str:
162 """Returns a checksum for the source."""
163 return sha1(source.encode("utf-8")).hexdigest()164
165 def get_bucket(
166 self,151 self, name: str, filename: t.Optional[t.Union[str]] = None
152 ) -> str:
153 """Returns the unique hash key for this template name."""
154 hash = sha1(name.encode("utf-8"))155
156 if filename is not None:
157 hash.update(f"|{filename}".encode())D2, MD4, MD5, SHA1 signature algorithms are known to be vulnerable to collision attacks. Attackers can exploit this to generate another certificate with the same digital signature, allowing them to masquerade as the affected service.
A hash function takes a variable-length digital input and coverts it into a fixed-length random hash value.
Hasing algorthems like MD5 and SHA-1 are vulnerable to collision attacks. In a collision attack an attacker finds two messages with the same hashed output and sends the incorrect one to the receiver.
It is recommended to use safer alternatives, such as SHA-256, SHA-512, SHA-3.
Bad practice
import hashlib
import Crypto
m1 = hashlib.md5() # Insecure, Use of MD5
m2 = hashlib.sha1() # Insecure, Use of SHA1
m3 = Crypto.Hash.MD5.new() # Insecure, Use of MD5
Recommended
It is recommended to either use stronger hash algorithms:
import hashlib
import Crypto
m1 = hashlib.sha512()
m2 = hashlib.sha256()
m3 = Crypto.Hash.SHA256.new()
OR, if the use-case is not security sensitive, set the usedforsecurity argument
to False as a way to signal that:
import hashlib
hasher = hashlib.md5(usedforsecurity=False) # issue will no longer be raised.
References:
- OWASP Top 10 2021 Category A02 - Cryptographic Failures
- OWASP Top 10 2021 Category A06 - Vulnerable and Outdated Components
- CWE 327 - Use of a Broken or Risky Cryptographic Algorithm
- Breaking MD5 and other hash functions