The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has
been protected. Standard algorithms like AES, RSA, SHA, … should be used instead.
This rule tracks custom implementation of these types from System.Security.Cryptography namespace:
-
AsymmetricAlgorithm
-
AsymmetricKeyExchangeDeformatter
-
AsymmetricKeyExchangeFormatter
-
AsymmetricSignatureDeformatter
-
AsymmetricSignatureFormatter
-
DeriveBytes
-
HashAlgorithm
-
ICryptoTransform
-
SymmetricAlgorithm
Recommended Secure Coding Practices
- Use a standard algorithm instead of creating a custom one.
Sensitive Code Example
Public Class CustomHash ' Noncompliant
Inherits HashAlgorithm
Private fResult() As Byte
Public Overrides Sub Initialize()
fResult = Nothing
End Sub
Protected Overrides Function HashFinal() As Byte()
Return fResult
End Function
Protected Overrides Sub HashCore(array() As Byte, ibStart As Integer, cbSize As Integer)
fResult = If(fResult, array.Take(8).ToArray)
End Sub
End Class
Compliant Solution
Dim mySHA256 As SHA256 = SHA256.Create()
See
