csharp.dotnet.security.use_ecb_mode.use_ecb_mode
semgrep
Author
unknown
Download Count*
License
Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.
Run Locally
Run in CI
Defintion
rules:
- id: use_ecb_mode
message: Usage of the insecure ECB mode detected. You should use an
authenticated encryption mode instead, which is implemented by the classes
AesGcm or ChaCha20Poly1305.
severity: WARNING
metadata:
likelihood: HIGH
impact: MEDIUM
confidence: HIGH
category: security
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A02:2021 - Cryptographic Failures
references:
- https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.chacha20poly1305?view=net-6.0
- https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0
- https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.ciphermode?view=net-6.0
- https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes
subcategory:
- vuln
technology:
- .net
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- csharp
patterns:
- pattern-either:
- pattern: ($KEYTYPE $KEY).EncryptEcb(...);
- pattern: ($KEYTYPE $KEY).DecryptEcb(...);
- pattern: ($KEYTYPE $KEY).Mode = CipherMode.ECB;
- metavariable-pattern:
metavariable: $KEYTYPE
pattern-either:
- pattern: SymmetricAlgorithm
- pattern: Aes
- pattern: Rijndael
- pattern: DES
- pattern: TripleDES
- pattern: RC2
Examples
use_ecb_mode.cs
using System;
using System.Security.Cryptography;
public class Encryption
{
public void EncryptWithAesEcb() {
Aes key = Aes.Create();
//ruleid: use_ecb_mode
key.Mode = CipherMode.ECB;
using var encryptor = key.CreateEncryptor();
byte[] msg = new byte[32];
var cipherText = encryptor.TransformFinalBlock(msg, 0, msg.Length);
}
public void EncryptWithAesEcb2() {
Aes key = Aes.Create();
byte[] msg = new byte[32];
//ruleid: use_ecb_mode
var cipherText = key.EncryptEcb(msg, PaddingMode.PKCS7);
}
public void DecryptWithAesEcb(byte[] cipherText) {
Aes key = Aes.Create();
//ruleid: use_ecb_mode
key.Mode = CipherMode.ECB;
using var decryptor = key.CreateDecryptor();
var msg = decryptor.TransformFinalBlock(cipherText, 0, cipherText.Length);
}
public void DecryptWithAesEcb2(byte[] cipherText) {
Aes key = Aes.Create();
//ruleid: use_ecb_mode
var msgText = key.DecryptEcb(cipherText, PaddingMode.PKCS7);
}
public void EncryptWith3DESEcb() {
TripleDES key = TripleDES.Create();
//ruleid: use_ecb_mode
key.Mode = CipherMode.ECB;
using var encryptor = key.CreateEncryptor();
byte[] msg = new byte[32];
var cipherText = encryptor.TransformFinalBlock(msg, 0, msg.Length);
}
public void EncryptWith3DESEcb2() {
TripleDES key = TripleDES.Create();
byte[] msg = new byte[32];
//ruleid: use_ecb_mode
var cipherText = key.EncryptEcb(msg, PaddingMode.PKCS7);
}
public void DecryptWith3DESEcb(byte[] cipherText) {
TripleDES key = TripleDES.Create();
//ruleid: use_ecb_mode
key.Mode = CipherMode.ECB;
using var decryptor = key.CreateDecryptor();
var msg = decryptor.TransformFinalBlock(cipherText, 0, cipherText.Length);
}
public void DecryptWith3DESEcb2(byte[] cipherText) {
TripleDES key = TripleDES.Create();
//ruleid: use_ecb_mode
var msgText = key.DecryptEcb(cipherText, PaddingMode.PKCS7);
}
public void EncryptWithEcb(SymmetricAlgorithm key) {
//ruleid: use_ecb_mode
key.Mode = CipherMode.ECB;
using var encryptor = key.CreateEncryptor();
byte[] msg = new byte[32];
var cipherText = encryptor.TransformFinalBlock(msg, 0, msg.Length);
}
public void EncryptWithEcb2(SymmetricAlgorithm key) {
byte[] msg = new byte[32];
//ruleid: use_ecb_mode
var cipherText = key.EncryptEcb(msg, PaddingMode.PKCS7);
}
public void DecryptWithEcb(SymmetricAlgorithm key, byte[] cipherText) {
//ruleid: use_ecb_mode
key.Mode = CipherMode.ECB;
using var decryptor = key.CreateDecryptor();
var msg = decryptor.TransformFinalBlock(cipherText, 0, cipherText.Length);
}
public void DecryptWithEcb2(SymmetricAlgorithm key, byte[] cipherText) {
//ruleid: use_ecb_mode
var msgText = key.DecryptEcb(cipherText, PaddingMode.PKCS7);
}
public void EncryptWithAesCbc() {
Aes key = Aes.Create();
//ok: use_ecb_mode
key.Mode = CipherMode.CBC;
using var encryptor = key.CreateEncryptor();
byte[] msg = new byte[32];
var cipherText = encryptor.TransformFinalBlock(msg, 0, msg.Length);
}
public void EncryptWithAesCbc2() {
Aes key = Aes.Create();
byte[] msg = new byte[32];
byte[] iv = new byte[16];
//ok: use_ecb_mode
var cipherText = key.EncryptCbc(msg, iv, PaddingMode.PKCS7);
}
public void DecryptWithAesCbc(byte[] cipherText) {
Aes key = Aes.Create();
//ok: use_ecb_mode
key.Mode = CipherMode.CBC;
using var decryptor = key.CreateDecryptor();
var msg = decryptor.TransformFinalBlock(cipherText, 0, cipherText.Length);
}
public void DecryptWithAesCbc2(byte[] cipherText, byte[] iv) {
Aes key = Aes.Create();
//ok: use_ecb_mode
var msgText = key.DecryptCbc(cipherText, iv, PaddingMode.PKCS7);
}
public static void Main()
{
Console.WriteLine("Hello World");
}
}
Short Link: https://sg.run/wj9n