You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Mobile apps should not use cryptographic algorithms and protocols that have significant known weaknesses or are otherwise insufficient for modern security requirements. Algorithms that were considered secure in the past may become insecure over time; therefore, it's important to periodically check current best practices and adjust configurations accordingly.
These tests include verification that cryptographic algorithms are up to date and in-line with industry standards. Vulnerable algorithms include outdated block ciphers (such as DES and 3DES), stream ciphers (such as RC4), hash functions (such as MD5 and SHA1), and broken random number generators (such as Dual_EC_DRBG and SHA1PRNG).
Note that even algorithms that are certified (for example, by NIST) can become insecure over time.
Algorithms with known weaknesses should be replaced with more secure alternatives.
Outlined instances of cryptographic algorithms that are known to be weak, such as:
The text was updated successfully, but these errors were encountered:
amsmokefree
changed the title
Security vulnerability
Cryptographic Standard Algorithms Security vulnerability spotted in FileEncryptionUtilKT.kt
Feb 1, 2024
Spotted this during a routine penetration testing exercise
https://github.com/pubnub/java/blob/master/src/main/kotlin/com/pubnub/api/crypto/util/FileEncryptionUtilKT.kt
Mobile apps should not use cryptographic algorithms and protocols that have significant known weaknesses or are otherwise insufficient for modern security requirements. Algorithms that were considered secure in the past may become insecure over time; therefore, it's important to periodically check current best practices and adjust configurations accordingly.
These tests include verification that cryptographic algorithms are up to date and in-line with industry standards. Vulnerable algorithms include outdated block ciphers (such as DES and 3DES), stream ciphers (such as RC4), hash functions (such as MD5 and SHA1), and broken random number generators (such as Dual_EC_DRBG and SHA1PRNG).
Note that even algorithms that are certified (for example, by NIST) can become insecure over time.
Algorithms with known weaknesses should be replaced with more secure alternatives.
Outlined instances of cryptographic algorithms that are known to be weak, such as:
• DES, 3DES
• RC2
• RC4
• BLOWFISH • MD4
• MD5
• SHA1
Upon inspection we identified the following usage of outdated cryptographic algorithms in the following code parts:
Using only algorithms suggested by BSI; see the following resource for details: https://www.keylength.com/en/8/
The text was updated successfully, but these errors were encountered: