csharp.dotnet.security.use_ecb_mode.use_ecb_mode

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use_ecb_mode
    message: Usage of the insecure ECB mode detected. You should use an
      authenticated encryption mode instead, which is implemented by the classes
      AesGcm or ChaCha20Poly1305.
    severity: WARNING
    metadata:
      likelihood: HIGH
      impact: MEDIUM
      confidence: HIGH
      category: security
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A02:2021 - Cryptographic Failures
      references:
        - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0
        - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0
        - https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0
        - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes
      subcategory:
        - vuln
      technology:
        - .net
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - csharp
    patterns:
      - pattern-either:
          - pattern: ($KEYTYPE $KEY).EncryptEcb(...);
          - pattern: ($KEYTYPE $KEY).DecryptEcb(...);
          - pattern: ($KEYTYPE $KEY).Mode = CipherMode.ECB;
      - metavariable-pattern:
          metavariable: $KEYTYPE
          pattern-either:
            - pattern: SymmetricAlgorithm
            - pattern: Aes
            - pattern: Rijndael
            - pattern: DES
            - pattern: TripleDES
            - pattern: RC2

Examples

use_ecb_mode.cs

using System;
using System.Security.Cryptography;
					
public class Encryption
{
	public void EncryptWithAesEcb() {
		Aes key = Aes.Create();
		//ruleid: use_ecb_mode
		key.Mode = CipherMode.ECB;
		using var encryptor = key.CreateEncryptor();
		byte[] msg = new byte[32];
		var cipherText = encryptor.TransformFinalBlock(msg, 0, msg.Length);
	}
	
	public void EncryptWithAesEcb2() {
		Aes key = Aes.Create();
		byte[] msg = new byte[32];
		//ruleid: use_ecb_mode
		var cipherText = key.EncryptEcb(msg, PaddingMode.PKCS7);
	}
	
	public void DecryptWithAesEcb(byte[] cipherText) {
		Aes key = Aes.Create();
		//ruleid: use_ecb_mode
		key.Mode = CipherMode.ECB;
		using var decryptor = key.CreateDecryptor();
		var msg = decryptor.TransformFinalBlock(cipherText, 0, cipherText.Length);
	}
	
	public void DecryptWithAesEcb2(byte[] cipherText) {
		Aes key = Aes.Create();
		//ruleid: use_ecb_mode
		var msgText = key.DecryptEcb(cipherText, PaddingMode.PKCS7);
	}
	
	public void EncryptWith3DESEcb() {
		TripleDES key = TripleDES.Create();
		//ruleid: use_ecb_mode
		key.Mode = CipherMode.ECB;
		using var encryptor = key.CreateEncryptor();
		byte[] msg = new byte[32];
		var cipherText = encryptor.TransformFinalBlock(msg, 0, msg.Length);
	}
	
	public void EncryptWith3DESEcb2() {
		TripleDES key = TripleDES.Create();
		byte[] msg = new byte[32];
		//ruleid: use_ecb_mode
		var cipherText = key.EncryptEcb(msg, PaddingMode.PKCS7);
	}
	
	public void DecryptWith3DESEcb(byte[] cipherText) {
		TripleDES key = TripleDES.Create();
		//ruleid: use_ecb_mode
		key.Mode = CipherMode.ECB;
		using var decryptor = key.CreateDecryptor();
		var msg = decryptor.TransformFinalBlock(cipherText, 0, cipherText.Length);
	}
	
	public void DecryptWith3DESEcb2(byte[] cipherText) {
		TripleDES key = TripleDES.Create();
		//ruleid: use_ecb_mode
		var msgText = key.DecryptEcb(cipherText, PaddingMode.PKCS7);
	}
	
	public void EncryptWithEcb(SymmetricAlgorithm key) {
		//ruleid: use_ecb_mode
		key.Mode = CipherMode.ECB;
		using var encryptor = key.CreateEncryptor();
		byte[] msg = new byte[32];
		var cipherText = encryptor.TransformFinalBlock(msg, 0, msg.Length);
	}
	
	public void EncryptWithEcb2(SymmetricAlgorithm key) {
		byte[] msg = new byte[32];
		//ruleid: use_ecb_mode
		var cipherText = key.EncryptEcb(msg, PaddingMode.PKCS7);
	}
	
	public void DecryptWithEcb(SymmetricAlgorithm key, byte[] cipherText) {
		//ruleid: use_ecb_mode
		key.Mode = CipherMode.ECB;
		using var decryptor = key.CreateDecryptor();
		var msg = decryptor.TransformFinalBlock(cipherText, 0, cipherText.Length);
	}
	
	public void DecryptWithEcb2(SymmetricAlgorithm key, byte[] cipherText) {
		//ruleid: use_ecb_mode
		var msgText = key.DecryptEcb(cipherText, PaddingMode.PKCS7);
	}
	
	public void EncryptWithAesCbc() {
		Aes key = Aes.Create();
		//ok: use_ecb_mode
		key.Mode = CipherMode.CBC;
		using var encryptor = key.CreateEncryptor();
		byte[] msg = new byte[32];
		var cipherText = encryptor.TransformFinalBlock(msg, 0, msg.Length);
	}
	
	public void EncryptWithAesCbc2() {
		Aes key = Aes.Create();
		byte[] msg = new byte[32];
		byte[] iv = new byte[16];
		//ok: use_ecb_mode
		var cipherText = key.EncryptCbc(msg, iv, PaddingMode.PKCS7);
	}
	
	public void DecryptWithAesCbc(byte[] cipherText) {
		Aes key = Aes.Create();
		//ok: use_ecb_mode		
		key.Mode = CipherMode.CBC;
		using var decryptor = key.CreateDecryptor();
		var msg = decryptor.TransformFinalBlock(cipherText, 0, cipherText.Length);
	}
	
	public void DecryptWithAesCbc2(byte[] cipherText, byte[] iv) {
		Aes key = Aes.Create();
		//ok: use_ecb_mode		
		var msgText = key.DecryptCbc(cipherText, iv, PaddingMode.PKCS7);
	}	
	
	public static void Main()
	{
		Console.WriteLine("Hello World");
	}
}