Insecure Encryption Algorithm

Insecure Encryption Algorithm - SHA1

Need

To secure the information transmitted between the client and the server using cryptographically secure algorithms.

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications

• Usage of Plug (1.11.1 and above) for building composable web applications in Elixir

• Usage of Plug.Crypto for cryptographic operations (version 1.2.0 and above)

Description

1. Non compliant code

defmodule MyApp.Encryption do
  def generate_hash(data) do
    :crypto.hash(:sha, data)
  end
end

This code is vulnerable because it uses the SHA1 encryption algorithm which is considered insecure. It could allow an attacker to reverse a summary function to find sensitive information.

2. Steps

• Replace the insecure SHA1 algorithm with a secure one like SHA256 or SHA3.

• Ensure to use the appropriate hash function based on the encryption algorithm.

3. Secure code example

defmodule MyApp.Encryption do
  def generate_hash(data) do
    :crypto.hash(:sha256, data)
  end
end

In this secure code example, we've replaced the SHA1 encryption algorithm with SHA256, which is considered secure. This will effectively mitigate the risks associated with SHA1.

References

• 262. Insecure Encryption Algorithm - SHA1

On this page