rspec/rules/S4432/csharp/rule.adoc

== Why is this an issue?

Encryption algorithms can be used with various modes. Some combinations are not secured:


* Electronic Codebook (ECB) mode: Under a given key, any given plaintext block always gets encrypted to the same ciphertext block. Thus, it does not hide data patterns well. In some senses, it doesn't provide serious message confidentiality, and it is not recommended for use in cryptographic protocols at all.
* Cipher Block Chaining (CBC) with PKCS#5 padding (or PKCS#7) is susceptible to padding oracle attacks. CBC + PKCS#7 can be used if combined with an authenticity check (HMAC-SHA256 for example) on the cipher text.

In both cases, Galois/Counter Mode (GCM) with no padding should be preferred. As the .NET framework doesn't provide this natively, the use of a certified third party lib is recommended. 


This rule raises an issue when any of the following CipherMode is detected: ECB, CBC, OFB, CFB, CTS.

=== Noncompliant code example

[source,csharp]
----
AesManaged aes = new AesManaged
{
  KeySize = 128,
  BlockSize = 128,
  Mode = CipherMode.OFB, // Noncompliant
  Padding = PaddingMode.PKCS7
};
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

include::highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`Encryption algorithms can be used with various modes. Some combinations are not secured:`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* Electronic Codebook (ECB) mode: Under a given key, any given plaintext block always gets encrypted to the same ciphertext block. Thus, it does not hide data patterns well. In some senses, it doesn't provide serious message confidentiality, and it is not recommended for use in cryptographic protocols at all.`
			`* Cipher Block Chaining (CBC) with PKCS#5 padding (or PKCS#7) is susceptible to padding oracle attacks. CBC + PKCS#7 can be used if combined with an authenticity check (HMAC-SHA256 for example) on the cipher text.`

			`In both cases, Galois/Counter Mode (GCM) with no padding should be preferred. As the .NET framework doesn't provide this natively, the use of a certified third party lib is recommended.`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`This rule raises an issue when any of the following CipherMode is detected: ECB, CBC, OFB, CFB, CTS.`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,csharp]`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`AesManaged aes = new AesManaged`
			`{`
			`KeySize = 128,`
			`BlockSize = 128,`
			`Mode = CipherMode.OFB, // Noncompliant`
			`Padding = PaddingMode.PKCS7`
			`};`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::message.adoc[]`

			`include::highlighting.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`