csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use_deprecated_cipher_algorithm
    message: Usage of deprecated cipher algorithm detected. Use Aes or
      ChaCha20Poly1305 instead.
    severity: ERROR
    metadata:
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A02:2021 - Cryptographic Failures
      references:
        - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.des?view=net-6.0#remarks
        - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rc2?view=net-6.0#remarks
        - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aes?view=net-6.0
        - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0
      subcategory:
        - vuln
      technology:
        - .net
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - csharp
    patterns:
      - pattern: $KEYTYPE.Create(...);
      - metavariable-pattern:
          metavariable: $KEYTYPE
          pattern-either:
            - pattern: DES
            - pattern: RC2

Examples

use_deprecated_cipher_algorithm.cs

using System;
using System.Security.Cryptography;
					
public class Encryption
{
	public void CreateAes1() {
		//ok: use_deprecated_cipher_algorithm
		var key = Aes.Create();
	}
	
	public void CreateAes2() {
		//ok: use_deprecated_cipher_algorithm
		var key = Aes.Create("ImplementationName");
	}

	public void CreateRijndael1() {
		//ok: use_deprecated_cipher_algorithm
		var key = Rijndael.Create();
	}
	
	public void CreateRijndael2() {
		//ok: use_deprecated_cipher_algorithm
		var key = Rijndael.Create("ImplementationName");
	}

	public void CreateDES1() {
		//ruleid: use_deprecated_cipher_algorithm
		var key = DES.Create();
	}
	
	public void CreateDES2() {
		//ruleid: use_deprecated_cipher_algorithm
		var key = DES.Create("ImplementationName");
	}

	public void CreateTripleDES1() {
		//ok: use_deprecated_cipher_algorithm
		var key = TripleDES.Create();
	}
	
	public void CreateTripleDES2() {
		//ok: use_deprecated_cipher_algorithm
		var key = TripleDES.Create("ImplementationName");
	}

	public void CreateRC21() {
		//ruleid: use_deprecated_cipher_algorithm
		var key = RC2.Create();
	}
	
	public void CreateRC22() {
		//ruleid: use_deprecated_cipher_algorithm
		var key = RC2.Create("ImplementationName");
	}
}