Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Standard algorithms like AES, RSA, SHA, ... should be used instead.

      This rule tracks custom implementation of these types from System.Security.Cryptography namespace:

      • AsymmetricAlgorithm
      • AsymmetricKeyExchangeDeformatter
      • AsymmetricKeyExchangeFormatter
      • AsymmetricSignatureDeformatter
      • AsymmetricSignatureFormatter
      • DeriveBytes
      • HashAlgorithm
      • ICryptoTransform
      • SymmetricAlgorithm

      Recommended Secure Coding Practices

      • Use a standard algorithm instead of creating a custom one.

      Sensitive Code Example

      public class CustomHash : HashAlgorithm // Noncompliant
      {
          private byte[] result;
      
          public override void Initialize() => result = null;
          protected override byte[] HashFinal() => result;
      
          protected override void HashCore(byte[] array, int ibStart, int cbSize) =>
              result ??= array.Take(8).ToArray();
      }
      

      Compliant Solution

      SHA256 mySHA256 = SHA256.Create()
      

      See

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            pavel.mikula Pavel Mikula
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: