Insecure Encryption Algorithm - SHA1 - Elixir

Insecure Encryption Algorithm - SHA1 - Elixir

Need

To secure the information transmitted between the client and the server using cryptographically secure algorithms.

Context

  • Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  • Usage of Plug (1.11.1 and above) for building composable web applications in Elixir
  • Usage of Plug.Crypto for cryptographic operations (version 1.2.0 and above)

Description

Non compliant code

        defmodule MyApp.Encryption do
  def generate_hash(data) do
    :crypto.hash(:sha, data)
  end
end
        
        

This code is vulnerable because it uses the SHA1 encryption algorithm which is considered insecure. It could allow an attacker to reverse a summary function to find sensitive information.

Steps

  • Replace the insecure SHA1 algorithm with a secure one like SHA256 or SHA3.
  • Ensure to use the appropriate hash function based on the encryption algorithm.

Compliant code

        defmodule MyApp.Encryption do
  def generate_hash(data) do
    :crypto.hash(:sha256, data)
  end
end
        
        

In this secure code example, we've replaced the SHA1 encryption algorithm with SHA256, which is considered secure. This will effectively mitigate the risks associated with SHA1.

References