The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Standard algorithms like ``++AES++``, ``++RSA++``, ``++SHA++``, ... should be used instead.


This rule tracks custom implementation of these types from ``++System.Security.Cryptography++`` namespace:

* ``++AsymmetricAlgorithm++``
* ``++AsymmetricKeyExchangeDeformatter++``
* ``++AsymmetricKeyExchangeFormatter++``
* ``++AsymmetricSignatureDeformatter++``
* ``++AsymmetricSignatureFormatter++``
* ``++DeriveBytes++``
* ``++HashAlgorithm++``
* ``++ICryptoTransform++``
* ``++SymmetricAlgorithm++``

include::../recommended.adoc[]

== Sensitive Code Example

----
public class CustomHash : HashAlgorithm // Noncompliant
{
    private byte[] result;

    public override void Initialize() => result = null;
    protected override byte[] HashFinal() => result;

    protected override void HashCore(byte[] array, int ibStart, int cbSize) =>
        result ??= array.Take(8).ToArray();
}
----

== Compliant Solution

[source,csharp]
----
SHA256 mySHA256 = SHA256.Create()
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]