Skip to content

Latest commit

 

History

History
88 lines (67 loc) · 3.42 KB

ca5373.md

File metadata and controls

88 lines (67 loc) · 3.42 KB
Raw
title description ms.date author dev_langs f1_keywords
CA5373: Do not use obsolete key derivation function (code analysis)
Provides information about code analysis rule CA5373, including causes, how to fix violations, and when to suppress it.
08/14/2019
filipsebesta
CSharp
CA5373
DoNotUseObsoleteKDFAlgorithm

CA5373: Do not use obsolete key derivation function

Property Value
Rule ID CA5373
Title Do not use obsolete key derivation function
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 8 No

Cause

Cryptographically weak key derivation methods xref:System.Security.Cryptography.PasswordDeriveBytes?displayProperty=nameWithType and/or xref:System.Security.Cryptography.Rfc2898DeriveBytes.CryptDeriveKey%2A?displayProperty=nameWithType are used to generate a key.

Rule description

This rule detects the invocation of weak key derivation methods xref:System.Security.Cryptography.PasswordDeriveBytes?displayProperty=nameWithType and xref:System.Security.Cryptography.Rfc2898DeriveBytes.CryptDeriveKey%2A?displayProperty=nameWithType. xref:System.Security.Cryptography.PasswordDeriveBytes?displayProperty=nameWithType used a weak algorithm PBKDF1. xref:System.Security.Cryptography.Rfc2898DeriveBytes.CryptDeriveKey%2A?displayProperty=nameWithType does not use iteration count and salt from the Rfc2898DeriveBytes object, which makes it weak.

How to fix violations

Password-based key derivation should use the PBKDF2 algorithm with SHA-2 hashing. xref:System.Security.Cryptography.Rfc2898DeriveBytes.GetBytes%2A?displayProperty=nameWithType can be used to achieve that.

When to suppress warnings

Suppress the warning if the risk associated with using PBKDF1 is carefully reviewed and accepted.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5373
// The code that's violating the rule is on this line.
#pragma warning restore CA5373

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5373.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Violation

As of the time of this writing, the following pseudo-code sample illustrates the pattern detected by this rule.

using System;
using System.Security.Cryptography;
class TestClass
{
    public void TestMethod(Rfc2898DeriveBytes rfc2898DeriveBytes, string algname, string alghashname, int keySize, byte[] rgbIV)
    {
        rfc2898DeriveBytes.CryptDeriveKey(algname, alghashname, keySize, rgbIV);
    }
}

Solution

using System;
using System.Security.Cryptography;
class TestClass
{
    public void TestMethod(Rfc2898DeriveBytes rfc2898DeriveBytes)
    {
        rfc2898DeriveBytes.GetBytes(1);
    }
}