The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6, RIPEMD160.
The following APIs are tracked for use of obsolete crypto algorithms:
* java.security.AlgorithmParameters
(JDK)
* java.security.AlgorithmParameterGenerator
(JDK)
* java.security.MessageDigest
(JDK)
* java.security.KeyFactory
(JDK)
* java.security.KeyPairGenerator
(JDK)
* java.security.Signature
(JDK)
* javax.crypto.Mac
(JDK)
* javax.crypto.KeyGenerator
(JDK)
* org.apache.commons.codec.digest.DigestUtils
(Apache Commons Codec)
* com.google.common.hash.Hashing
(Guava)
MessageDigest md = MessageDigest.getInstance("SHA1"); // Noncompliant
MessageDigest md = MessageDigest.getInstance("SHA-256");