2021-01-27 13:42:22 +01:00
The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Standard algorithms like ``++AES++``, ``++RSA++``, ``++SHA++``, ... should be used instead.
2021-02-02 15:02:10 +01:00
2021-01-27 13:42:22 +01:00
This rule tracks custom implementation of these types from ``++System.Security.Cryptography++`` namespace:
* ``++AsymmetricAlgorithm++``
* ``++AsymmetricKeyExchangeDeformatter++``
* ``++AsymmetricKeyExchangeFormatter++``
* ``++AsymmetricSignatureDeformatter++``
* ``++AsymmetricSignatureFormatter++``
* ``++DeriveBytes++``
* ``++HashAlgorithm++``
* ``++ICryptoTransform++``
* ``++SymmetricAlgorithm++``
2020-12-21 15:38:52 +01:00
include::../recommended.adoc[]
== Sensitive Code Example
----
Public Class CustomHash ' Noncompliant
Inherits HashAlgorithm
Private fResult() As Byte
Public Overrides Sub Initialize()
fResult = Nothing
End Sub
Protected Overrides Function HashFinal() As Byte()
Return fResult
End Function
Protected Overrides Sub HashCore(array() As Byte, ibStart As Integer, cbSize As Integer)
fResult = If(fResult, array.Take(8).ToArray)
End Sub
End Class
----
== Compliant Solution
----
Dim mySHA256 As SHA256 = SHA256.Create()
----
include::../see.adoc[]
