Potential usage of DES, RC4, MD5 or SHA1 GSC-G401
Use of weak cryptographic primitive
30
31// MD5 returns a random MD5 based random hashed string
32func (hash Hash) MD5() string {
33 hashFunction := md5.New()34 randomString := hash.Faker.Lorem().Word()
35 hashFunction.Write([]byte(randomString))
36 return fmt.Sprintf("%x", string(hashFunction.Sum(nil)))
Description
DES, RC4, MD5, and SHA1 are relatively weak encryption/hashing algorithms. Consider using a more secure alternative.
Go's official documentation also warns against the usage of DES, RC4, MD5 and SHA1.
Most common alternatives for the insecure algorithms:
- Use AES instead of DES/3DES
- Use SHA512 instead of MD5
- Use SHA512 instead of SHA1
- Use AES-128-256 instead of RC4
Although, we recommend doing some initial research before using any encryption/hashing algorithm to determine which is best for your use case.
Bad practice
package main
import (
"crypto/sha1"
"fmt"
"io"
"log"
"os"
)
func main() {
f, err := os.Open("file.txt")
if err != nil {
log.Fatal(err)
}
defer f.Close()
h := sha1.New()
if _, err := io.Copy(h, f); err != nil {
log.Fatal(err)
}
fmt.Printf("%x", h.Sum(nil))
}
Recommended
package main
import (
"crypto/sha512"
"fmt"
"io"
"log"
"os"
)
func main() {
f, err := os.Open("file.txt")
if err != nil {
log.Fatal(err)
}
defer f.Close()
h := sha512.New()
if _, err := io.Copy(h, f); err != nil {
log.Fatal(err)
}
fmt.Printf("%x", h.Sum(nil))
}