You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector (i.e., CryptoGo) on Go language. We found your great public repository from Github, and several security issues detected by CryptoGo are shown in the following.
Note that the cryptographic algorithms are categorized with two aspects: security strength and security vulnerability based on NIST Special Publication 800-57 and other public publications. Moreover, CryptoGo defined certain rules derived from the APIs of Go cryptographic library and other popular cryptographic misuse detectors. The specific security issues we found are as follows:
(1) Location: key_agreement.go:115
Broken rule: MD5 is an insecure algorithm;
(2) Location: prf.go:219
Broken rule: MD5 is an insecure algorithm;
(3) Location: prf.go:352
Broken rule: MD5 is an insecure algorithm;
(4) Location: prf.go:95
Broken rule: MD5 is an insecure algorithm;
(5) Location: cipher_suites.go:120
Broken rule: RC4 is an insecure algorithm;
(6) Location: cipher_suites.go:144
Broken rule: SHA-1 is an insecure algorithm;
(7) Location: key_agreement.go:104
Broken rule: SHA-1 is an insecure algorithm;
(8) Location: prf.go:219
Broken rule: SHA-1 is an insecure algorithm;
(9) Location: prf.go:354
Broken rule: SHA-1 is an insecure algorithm;
(10) Location: prf.go:94
Broken rule: SHA-1 is an insecure algorithm;
(11) Location: cipher_suites.go:125
Broken rule: 3TDEA is acceptable but not recommended;
(12) Location: prf.go:38
Broken rule: HMAC-MD5 is acceptable but not recommended;
(13) Location: cipher_suites.go:133
Broken rule: Constant key in AES;
(14) Location: ticket.go:206
Broken rule: Not unique IV in CTR;
(15) Location: key_agreement.go:90
Broken rule: RSAES-PKCS1-v1_5 is deprecated;
(16) Location: key_agreement.go:329
Broken rule: The ScalarMult method of Package curve25519 is deprecated;
(17) Location: key_agreement.go:477
Broken rule: The ScalarMult method of Package curve25519 is deprecated;
We wish the above security issues could truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.
The text was updated successfully, but these errors were encountered:
Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector (i.e., CryptoGo) on Go language. We found your great public repository from Github, and several security issues detected by CryptoGo are shown in the following.
Note that the cryptographic algorithms are categorized with two aspects: security strength and security vulnerability based on NIST Special Publication 800-57 and other public publications. Moreover, CryptoGo defined certain rules derived from the APIs of Go cryptographic library and other popular cryptographic misuse detectors. The specific security issues we found are as follows:
(1) Location: key_agreement.go:115
Broken rule: MD5 is an insecure algorithm;
(2) Location: prf.go:219
Broken rule: MD5 is an insecure algorithm;
(3) Location: prf.go:352
Broken rule: MD5 is an insecure algorithm;
(4) Location: prf.go:95
Broken rule: MD5 is an insecure algorithm;
(5) Location: cipher_suites.go:120
Broken rule: RC4 is an insecure algorithm;
(6) Location: cipher_suites.go:144
Broken rule: SHA-1 is an insecure algorithm;
(7) Location: key_agreement.go:104
Broken rule: SHA-1 is an insecure algorithm;
(8) Location: prf.go:219
Broken rule: SHA-1 is an insecure algorithm;
(9) Location: prf.go:354
Broken rule: SHA-1 is an insecure algorithm;
(10) Location: prf.go:94
Broken rule: SHA-1 is an insecure algorithm;
(11) Location: cipher_suites.go:125
Broken rule: 3TDEA is acceptable but not recommended;
(12) Location: prf.go:38
Broken rule: HMAC-MD5 is acceptable but not recommended;
(13) Location: cipher_suites.go:133
Broken rule: Constant key in AES;
(14) Location: ticket.go:206
Broken rule: Not unique IV in CTR;
(15) Location: key_agreement.go:90
Broken rule: RSAES-PKCS1-v1_5 is deprecated;
(16) Location: key_agreement.go:329
Broken rule: The ScalarMult method of Package curve25519 is deprecated;
(17) Location: key_agreement.go:477
Broken rule: The ScalarMult method of Package curve25519 is deprecated;
We wish the above security issues could truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.
The text was updated successfully, but these errors were encountered: