rspec/rules/S2070/csharp/rule.adoc

The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6.


This rule tracks usage of the ``++System.Security.Cryptography.CryptoConfig.CreateFromName()++``, and ``++System.Security.Cryptography.HashAlgorithm.Create()++`` methods to instantiate MD5, DSA, HMACMD5, HMACRIPEMD160, RIPEMD-160 or SHA-1 algorithms, and of derived class instances of ``++System.Security.Cryptography.SHA1++`` and ``++System.Security.Cryptography.MD5++``.


Consider using safer alternatives, such as SHA-256, or SHA-3.

== Noncompliant Code Example

[source,csharp]
----
var hashProvider1 = new MD5CryptoServiceProvider(); //Noncompliant
var hashProvider2 = (HashAlgorithm)CryptoConfig.CreateFromName("MD5"); //Noncompliant
var hashProvider3 = new SHA1Managed(); //Noncompliant
var hashProvider4 = HashAlgorithm.Create("SHA1"); //Noncompliant
----

== Compliant Solution

[source,csharp]
----
var hashProvider1 = new SHA256Managed();
var hashProvider2 = (HashAlgorithm)CryptoConfig.CreateFromName("SHA256Managed");
var hashProvider3 = HashAlgorithm.Create("SHA256Managed");
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6.`

Force linebreaks 2021-02-02 15:02:10 +01:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			This rule tracks usage of the ``++System.Security.Cryptography.CryptoConfig.CreateFromName()++``, and ``++System.Security.Cryptography.HashAlgorithm.Create()++`` methods to instantiate MD5, DSA, HMACMD5, HMACRIPEMD160, RIPEMD-160 or SHA-1 algorithms, and of derived class instances of ``++System.Security.Cryptography.SHA1++`` and ``++System.Security.Cryptography.MD5++``.
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`Consider using safer alternatives, such as SHA-256, or SHA-3.`

			`== Noncompliant Code Example`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,csharp]`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`----`
			`var hashProvider1 = new MD5CryptoServiceProvider(); //Noncompliant`
			`var hashProvider2 = (HashAlgorithm)CryptoConfig.CreateFromName("MD5"); //Noncompliant`
			`var hashProvider3 = new SHA1Managed(); //Noncompliant`
			`var hashProvider4 = HashAlgorithm.Create("SHA1"); //Noncompliant`
			`----`

			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,csharp]`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`----`
			`var hashProvider1 = new SHA256Managed();`
			`var hashProvider2 = (HashAlgorithm)CryptoConfig.CreateFromName("SHA256Managed");`
			`var hashProvider3 = HashAlgorithm.Create("SHA256Managed");`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`