title | description | ms.date | author | ms.author | f1_keywords | ||
---|---|---|---|---|---|---|---|
CA5379: Ensure key derivation function algorithm is sufficiently strong (code analysis) |
Provides information about code analysis rule CA5379, including causes, how to fix violations, and when to suppress it. |
05/07/2020 |
LLLXXXCCC |
linche |
|
Property | Value |
---|---|
Rule ID | CA5379 |
Title | Ensure key derivation function algorithm is sufficiently strong |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 8 | No |
Use of one of the following algorithms when instantiating xref:System.Security.Cryptography.Rfc2898DeriveBytes?displayProperty=nameWithType:
- xref:System.Security.Cryptography.MD5?displayProperty=nameWithType
- xref:System.Security.Cryptography.SHA1?displayProperty=nameWithType
- An algorithm that the rule can't determine at compile time
The xref:System.Security.Cryptography.Rfc2898DeriveBytes class defaults to using the xref:System.Security.Cryptography.HashAlgorithmName.SHA1 algorithm. When instantiating an xref:System.Security.Cryptography.Rfc2898DeriveBytes object, you should specify a hash algorithm of xref:System.Security.Cryptography.HashAlgorithmName.SHA256 or higher. Note that xref:System.Security.Cryptography.Rfc2898DeriveBytes.HashAlgorithm?displayProperty=nameWithType property only has a get
accessor.
Because xref:System.Security.Cryptography.MD5 or xref:System.Security.Cryptography.SHA1 are vulnerable to collisions, use xref:System.Security.Cryptography.SHA256 or higher for the xref:System.Security.Cryptography.Rfc2898DeriveBytes class.
Older versions of .NET Framework or .NET Core may not allow you to specify a key derivation function hash algorithm. In such cases, you need to upgrade the target framework version of .NET to use a stronger algorithm.
It is not recommended to suppress this rule except for application compatibility reasons.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5379
// The code that's violating the rule is on this line.
#pragma warning restore CA5379
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5379.severity = none
For more information, see How to suppress code analysis warnings.
using System.Security.Cryptography;
class ExampleClass
{
public void ExampleMethod(byte[] password, byte[] salt, int iterations, HashAlgorithmName hashAlgorithm)
{
var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, salt, iterations, HashAlgorithmName.MD5);
}
}
using System.Security.Cryptography;
class DerivedClass : Rfc2898DeriveBytes
{
public DerivedClass (byte[] password, byte[] salt, int iterations, HashAlgorithmName hashAlgorithm) : base(password, salt, iterations, hashAlgorithm)
{
}
}
class ExampleClass
{
public void ExampleMethod(byte[] password, byte[] salt, int iterations, HashAlgorithmName hashAlgorithm)
{
var derivedClass = new DerivedClass(password, salt, iterations, HashAlgorithmName.MD5);
}
}
using System.Security.Cryptography;
class DerivedClass : Rfc2898DeriveBytes
{
public DerivedClass (byte[] password, byte[] salt, int iterations, HashAlgorithmName hashAlgorithm) : base(password, salt, iterations, hashAlgorithm)
{
}
public HashAlgorithmName HashAlgorithm { get; set;}
}
class ExampleClass
{
public void ExampleMethod(byte[] password, byte[] salt, int iterations, HashAlgorithmName hashAlgorithm)
{
var derivedClass = new DerivedClass(password, salt, iterations, HashAlgorithmName.MD5);
derivedClass.HashAlgorithm = HashAlgorithmName.SHA256;
}
}
using System.Security.Cryptography;
class ExampleClass
{
public void ExampleMethod(byte[] password, byte[] salt, int iterations, HashAlgorithmName hashAlgorithm)
{
var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, salt, iterations, HashAlgorithmName.SHA256);
}
}