Classification

Overview

The used hash function in HMAC is insecure. Its use can lead to a data confidentiality loss.

In cryptography, a keyed-hash message authentication code (HMAC) is a specific type of message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key.

The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, the size of its hash output, and on the size and quality of the key.

The MD2, MD5, SHA1 hash functions have known vulnerabilities. Finding collisions for MD2 and MD5 functions do not require substantial resources; a similar problem of finding collisions for SHA1 was also solved.

In order to protect valuable data, use well tested implementations of standard encryption algorithms with sufficiently long keys.

Insufficient Cryptography vulnerabilities take the fifth place in the “OWASP Mobile Top 10 2016” mobile application vulnerabilities ranking.

References

1. OWASP: Top 10 2017-A3-Sensitive Data Exposure
2. OWASP: Top 10 2013-A6-Sensitive Data Exposure
3. OWASP: Top 10 2010-A7-Insecure Cryptographic Storage
4. CWE-326: Inadequate Encryption Strength
5. NIST Approved Algorithms
6. MD5 considered harmful today. Creating a rogue CA certificate – Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger / win.tue.nl
7. Encrypting and Hashing Data - developer.apple.com
8. CWE-327
9. CWE-328
10. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
11. Bleichenbacher’s attack
12. Transport Layer Security (TLS) Parameters