Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity
    • Default Quality Profiles:
      Sonar way

      Description

      Noncompliant Code Example

      For System.Security.Cryptography library, these old cryptographic algorithms should no longer be used for any reason:

      var tripleDES1 = new TripleDESCryptoServiceProvider(); // Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack
                      
      var simpleDES = new DESCryptoServiceProvider(); // Noncompliant: DES works with 56-bit keys allow attacks via exhaustive search
                     
      var RC2 = new RC2CryptoServiceProvider(); // Noncompliant: RC2 is vulnerable to a related-key attack     
      

      For Bouncycastle library, AESFastEngine has a side channel leak, it is possible to gain information about the key used to initialize the cipher:

      AesFastEngine aesfast = new AesFastEngine(); // Noncompliant
      

      Compliant Solution

      For System.Security.Cryptography library, it's recommended to use AesCryptoServiceProvider:

      var AES = new AesCryptoServiceProvider(); // Compliant
      

      For Bouncycastle library, it's recommended to use AESEngine:

      var AES = new AESEngine(); // Compliant
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              eric.therond Eric Therond
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: