39 lines
1.1 KiB
Plaintext
39 lines
1.1 KiB
Plaintext
The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Standard algorithms like ``++AES++``, ``++RSA++``, ``++SHA++``, ... should be used instead.
|
|
|
|
This rule tracks custom implementation of these types from ``++System.Security.Cryptography++`` namespace:
|
|
|
|
* ``++AsymmetricAlgorithm++``
|
|
* ``++AsymmetricKeyExchangeDeformatter++``
|
|
* ``++AsymmetricKeyExchangeFormatter++``
|
|
* ``++AsymmetricSignatureDeformatter++``
|
|
* ``++AsymmetricSignatureFormatter++``
|
|
* ``++DeriveBytes++``
|
|
* ``++HashAlgorithm++``
|
|
* ``++ICryptoTransform++``
|
|
* ``++SymmetricAlgorithm++``
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
public class CustomHash : HashAlgorithm // Noncompliant
|
|
{
|
|
private byte[] result;
|
|
|
|
public override void Initialize() => result = null;
|
|
protected override byte[] HashFinal() => result;
|
|
|
|
protected override void HashCore(byte[] array, int ibStart, int cbSize) =>
|
|
result ??= array.Take(8).ToArray();
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
SHA256 mySHA256 = SHA256.Create()
|
|
----
|
|
|
|
include::../see.adoc[]
|