title | description | ms.date | author | ms.author | f1_keywords | |
---|---|---|---|---|---|---|
CA5402: Use CreateEncryptor with the default IV (code analysis) |
Provides information about code analysis rule CA5402, including causes, how to fix violations, and when to suppress it. |
05/13/2020 |
LLLXXXCCC |
linche |
|
Property | Value |
---|---|
Rule ID | CA5402 |
Title | Use CreateEncryptor with the default IV |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 8 | No |
The rgbIV
could be non-default when using xref:System.Security.Cryptography.SymmetricAlgorithm.CreateEncryptor%2A?displayProperty=fullName.
Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks.
This rule is similar to CA5401, but analysis can't determine that the initialization vector is definitely the default.
Use the default rgbIV
value explicitly, that is, use the overload of the xref:System.Security.Cryptography.SymmetricAlgorithm.CreateEncryptor%2A?displayProperty=fullName which doesn't have any parameter.
It's safe to suppress a warning from this rule if:
- The
rgbIV
parameter was generated by xref:System.Security.Cryptography.SymmetricAlgorithm.GenerateIV%2A?displayProperty=fullName. - You're sure that the
rgbIV
parameter is really random and non-repeatable. - You're sure that the initialization vector is used.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5402
// The code that's violating the rule is on this line.
#pragma warning restore CA5402
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5402.severity = none
For more information, see How to suppress code analysis warnings.
using System;
using System.Security.Cryptography;
class ExampleClass
{
public void ExampleMethod(byte[] rgbIV)
{
AesCng aesCng = new AesCng();
Random r = new Random();
if (r.Next(6) == 4)
{
aesCng.IV = rgbIV;
}
aesCng.CreateEncryptor();
}
}
using System.Security.Cryptography;
class ExampleClass
{
public void ExampleMethod()
{
AesCng aesCng = new AesCng();
aesCng.CreateEncryptor();
}
}