39 lines
1.1 KiB
Plaintext
39 lines
1.1 KiB
Plaintext
The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Standard algorithms like ``AES``, ``RSA``, ``SHA``, ... should be used instead.
|
|
|
|
This rule tracks custom implementation of these types from ``System.Security.Cryptography`` namespace:
|
|
|
|
* ``AsymmetricAlgorithm``
|
|
* ``AsymmetricKeyExchangeDeformatter``
|
|
* ``AsymmetricKeyExchangeFormatter``
|
|
* ``AsymmetricSignatureDeformatter``
|
|
* ``AsymmetricSignatureFormatter``
|
|
* ``DeriveBytes``
|
|
* ``HashAlgorithm``
|
|
* ``ICryptoTransform``
|
|
* ``SymmetricAlgorithm``
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
public class CustomHash : HashAlgorithm // Noncompliant
|
|
{
|
|
private byte[] result;
|
|
|
|
public override void Initialize() => result = null;
|
|
protected override byte[] HashFinal() => result;
|
|
|
|
protected override void HashCore(byte[] array, int ibStart, int cbSize) =>
|
|
result ??= array.Take(8).ToArray();
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
SHA256 mySHA256 = SHA256.Create()
|
|
----
|
|
|
|
include::../see.adoc[]
|