---
title: Use Only Approved Crypto Algorithms
impact: MEDIUM
impactDescription: ensures cryptographic strength and resistance to collision or brute-force attacks
tags: cryptography, algorithms, hashing, encryption, security, php
---

## Use Only Approved Crypto Algorithms

Weak cryptographic algorithms like MD5, SHA-1, DES, and AES-ECB are either broken or have known vulnerabilities that make them insecure for modern applications. Always use industry-standard, approved algorithms for hashing and encryption.

**Incorrect (weak algorithms):**

```php
// WEAK hash (MD5 is broken)
$hash = md5($password);

// WEAK encryption mode (ECB mode does not provide semantic security)
$encrypted = openssl_encrypt($data, 'aes-256-ecb', $key);

// WEAK algorithm
$encrypted = openssl_encrypt($data, 'des-ede3', $key); // 3DES is deprecated
```

**Correct (approved algorithms):**

```php
// 1. Password Hashing (Always use password_hash)
$hash = password_hash($password, PASSWORD_ARGON2ID); // Recommended: Argon2id or BCRYPT
$isValid = password_verify($password, $hash);

// 2. Data Integrity (non-password)
$hash = hash('sha256', $data);

// 3. Strong Authenticated Encryption (GCM mode)
$iv = random_bytes(openssl_cipher_iv_length('aes-256-gcm'));
$tag = "";
$encrypted = openssl_encrypt($data, 'aes-256-gcm', $key, OPENSSL_RAW_DATA, $iv, $tag);
// Store $iv, $tag, and $encrypted
```

**Approved vs Prohibited:**

| Purpose | Approved | Prohibited |
|---------|----------|------------|
| **Data Hashing** | SHA-256, SHA-3, BLAKE2 | MD5, SHA-1 |
| **Encryption** | AES-256-GCM, AES-256-CBC (with HMAC) | AES-ECB, DES, 3DES, RC4 |
| **Passwords** | Argon2id, BCRYPT | MD5, SHA-256, Plain Encryption |

**Best Practice:**
Never roll your own crypto. Use high-level libraries like `libsodium` (built-in to PHP 7.2+) if you need advanced features. For passwords, **only** use the native `password_hash()` functions.

**Tools:** PHPStan (check for md5/sha1), SonarQube (S2070, S4790), Semgrep