58 lines
1.4 KiB
Plaintext
58 lines
1.4 KiB
Plaintext
The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Standard algorithms like ``++AES++``, ``++RSA++``, ``++SHA++``, ... should be used instead.
|
|
|
|
|
|
This rule tracks custom implementation of these types from ``++System.Security.Cryptography++`` namespace:
|
|
|
|
* ``++AsymmetricAlgorithm++``
|
|
* ``++AsymmetricKeyExchangeDeformatter++``
|
|
* ``++AsymmetricKeyExchangeFormatter++``
|
|
* ``++AsymmetricSignatureDeformatter++``
|
|
* ``++AsymmetricSignatureFormatter++``
|
|
* ``++DeriveBytes++``
|
|
* ``++HashAlgorithm++``
|
|
* ``++ICryptoTransform++``
|
|
* ``++SymmetricAlgorithm++``
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
Public Class CustomHash ' Noncompliant
|
|
Inherits HashAlgorithm
|
|
|
|
Private fResult() As Byte
|
|
|
|
Public Overrides Sub Initialize()
|
|
fResult = Nothing
|
|
End Sub
|
|
|
|
Protected Overrides Function HashFinal() As Byte()
|
|
Return fResult
|
|
End Function
|
|
|
|
Protected Overrides Sub HashCore(array() As Byte, ibStart As Integer, cbSize As Integer)
|
|
fResult = If(fResult, array.Take(8).ToArray)
|
|
End Sub
|
|
|
|
End Class
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,vbnet]
|
|
----
|
|
Dim mySHA256 As SHA256 = SHA256.Create()
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|