Skip to content

Latest commit

 

History

History
97 lines (72 loc) · 3 KB

ca5402.md

File metadata and controls

97 lines (72 loc) · 3 KB
Raw
title description ms.date author ms.author f1_keywords
CA5402: Use CreateEncryptor with the default IV (code analysis)
Provides information about code analysis rule CA5402, including causes, how to fix violations, and when to suppress it.
05/13/2020
LLLXXXCCC
linche
CA5402

CA5402: Use CreateEncryptor with the default IV

Property Value
Rule ID CA5402
Title Use CreateEncryptor with the default IV
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 8 No

Cause

The rgbIV could be non-default when using xref:System.Security.Cryptography.SymmetricAlgorithm.CreateEncryptor%2A?displayProperty=fullName.

Rule description

Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks.

This rule is similar to CA5401, but analysis can't determine that the initialization vector is definitely the default.

How to fix violations

Use the default rgbIV value explicitly, that is, use the overload of the xref:System.Security.Cryptography.SymmetricAlgorithm.CreateEncryptor%2A?displayProperty=fullName which doesn't have any parameter.

When to suppress warnings

It's safe to suppress a warning from this rule if:

  • The rgbIV parameter was generated by xref:System.Security.Cryptography.SymmetricAlgorithm.GenerateIV%2A?displayProperty=fullName.
  • You're sure that the rgbIV parameter is really random and non-repeatable.
  • You're sure that the initialization vector is used.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5402
// The code that's violating the rule is on this line.
#pragma warning restore CA5402

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5402.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

using System;
using System.Security.Cryptography;

class ExampleClass
{
    public void ExampleMethod(byte[] rgbIV)
    {
        AesCng aesCng  = new AesCng();
        Random r = new Random();

        if (r.Next(6) == 4)
        {
            aesCng.IV = rgbIV;
        }

        aesCng.CreateEncryptor();
    }
}

Solution

using System.Security.Cryptography;

class ExampleClass
{
    public void ExampleMethod()
    {
        AesCng aesCng  = new AesCng();
        aesCng.CreateEncryptor();
    }
}