2

I am getting Veracode issue (CWE ID 327 & 326) "Use of a Broken or Risky Cryptographic Algorithm" with Two Microsoft DLL's(microsoft.codeanalysis.dll and microsoft.identitymodel.tokens.dll).

Below are the approaches we have tried to mitigate this issue but the issue still persists.

  1. Tried scanning with new version DLL's
  2. Updated hashing algorithm as suggested by vera code (from SHA 256 to 512 and scanned).
  3. Removed all algorithm-related code from the application and scanned.
  4. Created a new test Angular- .net core project then scanned.

Don't know how to configure the project to mitigate the flaws.

M P Reddy
  • 21
  • 2

1 Answers1

-2

I believe SHA256 is considered compromised if not using salt (see references).

I recommending removing all references to other algorithms and exclusively use

  1. SHA3 available on nuget (Bouncy Castle) - recommended
  2. SHA512 - not recommended since it is already superseded

References:

  1. CWE-327: Use of a Broken or Risky Cryptographic Algorithm https://cwe.mitre.org/data/definitions/327.html#:~:text=The%20use%20of%20a%20broken,the%20exposure%20of%20sensitive%20information.&text=The%20use%20of%20a%20non,whatever%20data%20has%20been%20protected.

  2. Encryption and Decryption in Java Cryptography (applies to non-java code) https://www.veracode.com/blog/research/encryption-and-decryption-java-cryptography

  3. SHA-256 is not a secure password hashing algorithm https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm#:~:text=SHA%2D256%20is%20not%20a%20secure%20password%20hashing%20algorithm.,good%20it%20has%20been%20salted.

Dave
  • 51
  • 1
  • 8