Need

To secure the information transmitted between the client and the server using cryptographically secure algorithms.

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
• Usage of Plug (1.11.1 and above) for building composable web applications in Elixir
• Usage of Plug.Crypto for cryptographic operations (version 1.2.0 and above)

Description

Non compliant code

        defmodule MyApp.Encryption do
  def generate_hash(data) do
    :crypto.hash(:sha, data)
  end
end
        
        

This code is vulnerable because it uses the SHA1 encryption algorithm which is considered insecure. It could allow an attacker to reverse a summary function to find sensitive information.

Steps

• Replace the insecure SHA1 algorithm with a secure one like SHA256 or SHA3.
• Ensure to use the appropriate hash function based on the encryption algorithm.

Compliant code

        defmodule MyApp.Encryption do
  def generate_hash(data) do
    :crypto.hash(:sha256, data)
  end
end
        
        

In this secure code example, we've replaced the SHA1 encryption algorithm with SHA256, which is considered secure. This will effectively mitigate the risks associated with SHA1.

References

• 262. Insecure encryption algorithm - SHA1