csharp.dotnet.security.use_deprecated_cipher_algorithm.use_deprecated_cipher_algorithm

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead.

Run Locally

Run in CI

Defintion

rules:
  - id: use_deprecated_cipher_algorithm
    message: Usage of deprecated cipher algorithm detected. Use Aes or
      ChaCha20Poly1305 instead.
    severity: ERROR
    metadata:
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A02:2021 - Cryptographic Failures
      references:
        - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.des?view=net-6.0#remarks
        - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rc2?view=net-6.0#remarks
        - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aes?view=net-6.0
        - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0
      subcategory:
        - vuln
      technology:
        - .net
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - csharp
    patterns:
      - pattern: $KEYTYPE.Create(...);
      - metavariable-pattern:
          metavariable: $KEYTYPE
          pattern-either:
            - pattern: DES
            - pattern: RC2

Examples

use_deprecated_cipher_algorithm.cs

using System;
using System.Security.Cryptography;
					
public class Encryption
{
	public void CreateAes1() {
		//ok: use_deprecated_cipher_algorithm
		var key = Aes.Create();
	}
	
	public void CreateAes2() {
		//ok: use_deprecated_cipher_algorithm
		var key = Aes.Create("ImplementationName");
	}

	public void CreateRijndael1() {
		//ok: use_deprecated_cipher_algorithm
		var key = Rijndael.Create();
	}
	
	public void CreateRijndael2() {
		//ok: use_deprecated_cipher_algorithm
		var key = Rijndael.Create("ImplementationName");
	}

	public void CreateDES1() {
		//ruleid: use_deprecated_cipher_algorithm
		var key = DES.Create();
	}
	
	public void CreateDES2() {
		//ruleid: use_deprecated_cipher_algorithm
		var key = DES.Create("ImplementationName");
	}

	public void CreateTripleDES1() {
		//ok: use_deprecated_cipher_algorithm
		var key = TripleDES.Create();
	}
	
	public void CreateTripleDES2() {
		//ok: use_deprecated_cipher_algorithm
		var key = TripleDES.Create("ImplementationName");
	}

	public void CreateRC21() {
		//ruleid: use_deprecated_cipher_algorithm
		var key = RC2.Create();
	}
	
	public void CreateRC22() {
		//ruleid: use_deprecated_cipher_algorithm
		var key = RC2.Create("ImplementationName");
	}
}