44 lines
1.7 KiB
Plaintext
44 lines
1.7 KiB
Plaintext
The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6.
|
|
|
|
|
|
This rule tracks usage of the ``++System.Security.Cryptography.CryptoConfig.CreateFromName()++``, and ``++System.Security.Cryptography.HashAlgorithm.Create()++`` methods to instantiate MD5, DSA, HMACMD5, HMACRIPEMD160, RIPEMD-160 or SHA-1 algorithms, and of derived class instances of ``++System.Security.Cryptography.SHA1++`` and ``++System.Security.Cryptography.MD5++``.
|
|
|
|
|
|
Consider using safer alternatives, such as SHA-256, or SHA-3.
|
|
|
|
== Noncompliant Code Example
|
|
|
|
[source,csharp]
|
|
----
|
|
var hashProvider1 = new MD5CryptoServiceProvider(); //Noncompliant
|
|
var hashProvider2 = (HashAlgorithm)CryptoConfig.CreateFromName("MD5"); //Noncompliant
|
|
var hashProvider3 = new SHA1Managed(); //Noncompliant
|
|
var hashProvider4 = HashAlgorithm.Create("SHA1"); //Noncompliant
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,csharp]
|
|
----
|
|
var hashProvider1 = new SHA256Managed();
|
|
var hashProvider2 = (HashAlgorithm)CryptoConfig.CreateFromName("SHA256Managed");
|
|
var hashProvider3 = HashAlgorithm.Create("SHA256Managed");
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|