The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Standard algorithms like SHA-256, SHA-384, SHA-512, …​ should be used instead.

This rule tracks creation of java.security.MessageDigest subclasses.

Recommended Secure Coding Practices

Sensitive Code Example

public class MyCryptographicAlgorithm extends MessageDigest {
  ...
}

Compliant Solution

MessageDigest digest = MessageDigest.getInstance("SHA-256");

See