---
title: Use Only Approved Crypto Algorithms
impact: MEDIUM
impactDescription: ensures cryptographic strength
tags: cryptography, algorithms, hashing, encryption, security
---

## Use Only Approved Crypto Algorithms

Weak algorithms are broken. MD5, SHA1, DES, and ECB mode have known vulnerabilities.

**Incorrect (weak algorithms):**

```go
import (
    "crypto/md5"
    "crypto/des"
    "crypto/cipher"
)

// WEAK hash
h := md5.New()
h.Write([]byte(password))
hash := h.Sum(nil)

// WEAK algorithm
block, _ := des.NewCipher(key)
```

**Correct (approved algorithms):**

```go
import (
    "crypto/aes"
    "crypto/cipher"
    "crypto/sha256"
    "golang.org/x/crypto/bcrypt"
)

// STRONG hash (for data integrity)
h := sha256.New()
h.Write(data)
hash := h.Sum(nil)

// STRONG authenticated encryption (GCM mode)
block, _ := aes.NewCipher(key)
aesGCM, _ := cipher.NewGCM(block)
ciphertext := aesGCM.Seal(nil, nonce, plaintext, associatedData)

// For passwords - use specialized functions
hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
err := bcrypt.CompareHashAndPassword(hashedPassword, []byte(password))
```

**Approved vs Prohibited:**

| Purpose | Approved | Prohibited |
|---------|----------|------------|
| Hash | SHA-256, SHA-3, BLAKE2 | MD5, SHA-1 |
| Encryption | AES-GCM, ChaCha20-Poly1305 | DES, 3DES, AES-ECB |
| Password | bcrypt, Argon2, scrypt | MD5, SHA-*, plain AES |

**Tools:** SonarQube, Semgrep, `crypto` (standard library)
