Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Standard algorithms like AES, RSA, SHA, ... should be used instead.

      This rule tracks custom implementation of these types from System.Security.Cryptography namespace:

      • AsymmetricAlgorithm
      • AsymmetricKeyExchangeDeformatter
      • AsymmetricKeyExchangeFormatter
      • AsymmetricSignatureDeformatter
      • AsymmetricSignatureFormatter
      • DeriveBytes
      • HashAlgorithm
      • ICryptoTransform
      • SymmetricAlgorithm

      Recommended Secure Coding Practices

      • Use a standard algorithm instead of creating a custom one.

      Sensitive Code Example

      Public Class CustomHash     ' Noncompliant
          Inherits HashAlgorithm
      
          Private fResult() As Byte
      
          Public Overrides Sub Initialize()
              fResult = Nothing
          End Sub
      
          Protected Overrides Function HashFinal() As Byte()
              Return fResult
          End Function
      
          Protected Overrides Sub HashCore(array() As Byte, ibStart As Integer, cbSize As Integer)
              fResult = If(fResult, array.Take(8).ToArray)
          End Sub
      
      End Class
      

      Compliant Solution

      Dim mySHA256 As SHA256 = SHA256.Create()
      

      See

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            pavel.mikula Pavel Mikula
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: