Insecure Encryption Algorithm

Insecure Encryption Algorithm - MD5

Need

To secure user passwords using cryptographically secure hashing algorithms.

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications

• Usage of Ecto (3.6.2 and above) for database query and manipulation

• Usage of Comeonin for password hashing and encryption

• Usage of Bcrypt_elixir for secure password hashing and verification

Description

1. Non compliant code

defmodule MyApp.User do
  use Ecto.Schema

  schema "users" do
    field :password_hash, :string
  end

    :crypto.hash(:md5, password)...

This code is vulnerable because it uses the MD5 hash function which is considered insecure. It could allow an attacker to easily crack captured credentials.

2. Steps

• Replace the insecure MD5 hash function with a secure one like PBKDF2 or Bcrypt.

• Use the Bcrypt library provided by 'Comeonin' and 'Bcrypt_elixir' to hash passwords.

3. Secure code example

defmodule MyApp.User do
  use Ecto.Schema
  import Comeonin.Bcrypt

  schema "users" do
    field :password_hash, :string
  end
  def hash_password(password) do...

In this secure code example, we've replaced the MD5 hash function with Bcrypt, which is considered secure. This will effectively mitigate the risks associated with MD5.

References

• 263. Insecure Encryption Algorithm - MD5

On this page