Cryptographic hash algorithms such as MD2, MD4, MD5, MD6, HAVAL-128,
DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160and SHA-1 are no
longer considered secure, because it is possible to have collisions (little computational effort is enough to find two or more different
inputs that produce the same hash).
Message authentication code (MAC) algorithms such as HMAC-MD5 or HMAC-SHA1 use weak hash functions as building blocks.
Although they are not all proven to be weak, they are considered legacy algorithms and should be avoided.
The hashed value is used in a security context like:
There is a risk if you answered yes to any of those questions.
Safer alternatives, such as SHA-256, SHA-512, SHA-3 are recommended, and for password hashing, it’s even
better to use algorithms that do not compute too "quickly", like bcrypt, scrypt, argon2 or pbkdf2
because it slows down brute force attacks.
Imports System.Security.Cryptography
Sub ComputeHash()
' Review all instantiations of classes that inherit from HashAlgorithm, for example:
Dim hashAlgo As HashAlgorithm = HashAlgorithm.Create() ' Sensitive
Dim hashAlgo2 As HashAlgorithm = HashAlgorithm.Create("SHA1") ' Sensitive
Dim sha As SHA1 = New SHA1CryptoServiceProvider() ' Sensitive
Dim md5 As MD5 = New MD5CryptoServiceProvider() ' Sensitive
' ...
End Sub
Class MyHashAlgorithm
Inherits HashAlgorithm ' Sensitive
' ...
End Class
Imports System.Security.Cryptography
Sub ComputeHash()
Dim sha256 = New SHA256CryptoServiceProvider() ' Compliant
Dim sha384 = New SHA384CryptoServiceProvider() ' Compliant
Dim sha512 = New SHA512CryptoServiceProvider() ' Compliant
' ...
End Sub