---
title: Use Only Approved Crypto Algorithms
impact: MEDIUM
impactDescription: ensures cryptographic strength and protects against known attacks
tags: cryptography, algorithms, hashing, encryption, security, kotlin
---

## Use Only Approved Crypto Algorithms

Weak cryptographic algorithms (MD5, SHA1, DES) or insecure modes (ECB) have known vulnerabilities and can be broken with modern hardware. Using them puts data at risk of decryption or collision attacks.

**Incorrect (weak or deprecated algorithms):**

```kotlin
// WEAK hash (MD5/SHA1)
val md = MessageDigest.getInstance("MD5")
val hash = md.digest(password.toByteArray())

// WEAK encryption mode (ECB mode is insecure)
val cipher = Cipher.getInstance("AES/ECB/PKCS5Padding")

// WEAK algorithm
val desCipher = Cipher.getInstance("DES")
```

**Correct (approved strong algorithms):**

```kotlin
// STRONG hash for integrity
val digest = MessageDigest.getInstance("SHA-256")
val hash = digest.digest(data.toByteArray())

// STRONG authenticated encryption (GCM mode)
val cipher = Cipher.getInstance("AES/GCM/NoPadding")
val spec = GCMParameterSpec(128, iv)
cipher.init(Cipher.ENCRYPT_MODE, secretKey, spec)

// For passwords - use specialized libraries like BCrypt or Argon2 (via Spring Security or Ktor)
val hashedPassword = BCrypt.withDefaults().hashToString(12, password.toCharArray())
val isMatched = BCrypt.verifyer().verify(password.toCharArray(), hashedPassword).verified
```

**Approved vs Prohibited:**

| Purpose | Approved | Prohibited |
|---------|----------|------------|
| General Hashing | SHA-256, SHA-512, SHA-3 | MD5, SHA-1 |
| Data Encryption | AES-GCM (256-bit) | DES, 3DES, AES-ECB |
| Password Hashing | Argon2id, bcrypt (cost >= 12) | SHA-*, plain AES, MD5 |

**Tools:** SonarQube (S2070, S4790), Semgrep, detekt (WeakCrypto)
