MD2, MD4, and MD5 are weak hash functions

Metadata

ID: java-security/weak-message-digest-md5

Language: Java

Severity: Warning

Category: Security

CWE: 328

Description

The security of the MD5 hash function is severely compromised. A collision attack exists that can find collisions within seconds on a computer with a 2.6 GHz Pentium 4 processor. Further, there is also a chosen-prefix collision attack that can produce a collision for two inputs with specified prefixes within hours, using off-the-shelf computing hardware.

Learn More

Non-Compliant Code Examples

public class MyClass {
    public void myMethod1() {
        MessageDigest md5Digest = MessageDigest.getInstance("MD5");
        md5Digest.update(password.getBytes());
        byte[] hashValue = md5Digest.digest();
    }
    public void myMethod2() {
        MessageDigest md5Digest = java.security.MessageDigest.getInstance("MD5");
        md5Digest.update(password.getBytes());
        byte[] hashValue = md5Digest.digest();
    }
}

Compliant Code Examples

public class MyClass {
    public static byte[] getEncryptedPassword(String password, byte[] salt) throws NoSuchAlgorithmException, InvalidKeySpecException {
        PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(new SHA256Digest());
        gen.init(password.getBytes("UTF-8"), salt.getBytes(), 4096);
        return ((KeyParameter) gen.generateDerivedParameters(256)).getKey();
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

Datadog Code Analysis
PREVIEWING: rtrieu/product-analytics-ui-changes