include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example ---- using System; using System.Security.Cryptography; namespace MyNamespace { public class MyClass { public void Main() { Byte[] data = {1,1,1}; RSA myRSA = RSA.Create(); RSAEncryptionPadding padding = RSAEncryptionPadding.CreateOaep(HashAlgorithmName.SHA1); // Review all base RSA class' Encrypt/Decrypt calls myRSA.Encrypt(data, padding); // Sensitive myRSA.EncryptValue(data); // Sensitive myRSA.Decrypt(data, padding); // Sensitive myRSA.DecryptValue(data); // Sensitive RSACryptoServiceProvider myRSAC = new RSACryptoServiceProvider(); // Review the use of any TryEncrypt/TryDecrypt and specific Encrypt/Decrypt of RSA subclasses. myRSAC.Encrypt(data, false); // Sensitive myRSAC.Decrypt(data, false); // Sensitive int written; myRSAC.TryEncrypt(data, Span.Empty, padding, out written); // Sensitive myRSAC.TryDecrypt(data, Span.Empty, padding, out written); // Sensitive byte[] rgbKey = {1,2,3}; byte[] rgbIV = {4,5,6}; SymmetricAlgorithm rijn = SymmetricAlgorithm.Create(); // Review the creation of Encryptors from any SymmetricAlgorithm instance. rijn.CreateEncryptor(); // Sensitive rijn.CreateEncryptor(rgbKey, rgbIV); // Sensitive rijn.CreateDecryptor(); // Sensitive rijn.CreateDecryptor(rgbKey, rgbIV); // Sensitive } public class MyCrypto : System.Security.Cryptography.AsymmetricAlgorithm // Sensitive { // ... } public class MyCrypto2 : System.Security.Cryptography.SymmetricAlgorithm // Sensitive { // ... } } } ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] include::../highlighting.adoc[] ''' == Comments And Links (visible only on this page) === on 8 Oct 2018, 18:14:56 Nicolas Harraudeau wrote: *Implementation details*: Note that the example does not list all RSA subclasses. RSA subclasses have additional encryption and decryption methods which are not present in the parent class. See https://docs.microsoft.com/en-gb/dotnet/standard/security/encrypting-data[.Net documentation]. === on 6 Nov 2018, 18:57:56 Duncan Pocklington wrote: \[~nicolas.harraudeau] a couple of questions: * _MyCrypto2 : System.Security.Cryptography.SymmetricAlgorithm_: _MyCrypto2_ will have to provide implementations of _CreateEncryptor_ and _CreateDecryptor_, and any use of those methods will be flagged as issues. What's the reason for also flagging class definitions that inherit from _SymmetricAlgorithms_? Is it because implementing your own encrypting algorithms isn't generally a good idea? If so, it would be worth adding that as a comment in the Sensitive Code Example. * same for _AsymmetricAlgorithm_, except in this case the answer might be different since the base class doesn't define any methods that we are tracking === on 7 Nov 2018, 09:57:32 Nicolas Harraudeau wrote: \[~duncan.pocklington] As said IRL: for both classes it is generally a bad practice to define your own implementations. I'll update the RSPEC right away. include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]