36 lines
1.3 KiB
Plaintext
36 lines
1.3 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
For https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=netcore-3.1[System.Security.Cryptography] library, these old cryptographic algorithms should no longer be used for any reason:
|
|
|
|
----
|
|
var tripleDES1 = new TripleDESCryptoServiceProvider(); // Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack
|
|
|
|
var simpleDES = new DESCryptoServiceProvider(); // Noncompliant: DES works with 56-bit keys allow attacks via exhaustive search
|
|
|
|
var RC2 = new RC2CryptoServiceProvider(); // Noncompliant: RC2 is vulnerable to a related-key attack
|
|
----
|
|
|
|
For Bouncycastle library, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000339[AESFastEngine has a side channel leak], it is possible to gain information about the key used to initialize the cipher:
|
|
|
|
----
|
|
AesFastEngine aesfast = new AesFastEngine(); // Noncompliant
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
For https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=netcore-3.1[System.Security.Cryptography] library, it's recommended to use ``++AesCryptoServiceProvider++``:
|
|
|
|
----
|
|
var AES = new AesCryptoServiceProvider(); // Compliant
|
|
----
|
|
|
|
For Bouncycastle library, it's recommended to use ``++AESEngine++``:
|
|
|
|
----
|
|
var AES = new AESEngine(); // Compliant
|
|
----
|
|
|
|
include::../see.adoc[]
|