CA5350: Do Not Use Weak Cryptographic Algorithms
| Property | Value |
|---|---|
| Rule ID | CA5350 |
| Title | Do Not Use Weak Cryptographic Algorithms |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 8 | No |
Note
This warning was last updated on November 2015.
Cause
Encryption algorithms such as TripleDES and hashing algorithms such as SHA1 and RIPEMD160 are considered to be weak.
These cryptographic algorithms do not provide as much security assurance as more modern counterparts. Cryptographic hashing algorithms SHA1 and RIPEMD160 provide less collision resistance than more modern hashing algorithms. The encryption algorithm TripleDES provides fewer bits of security than more modern encryption algorithms.
Rule description
Weak encryption algorithms and hashing functions are used today for a number of reasons, but they should not be used to guarantee the confidentiality of the data they protect.
The rule triggers when it finds 3DES, SHA1 or RIPEMD160 algorithms in the code and throws a warning to the user.
How to fix violations
Use cryptographically stronger options:
For TripleDES encryption, use Aes encryption.
For SHA1 or RIPEMD160 hashing functions, use ones in the SHA-2 family (for example, SHA512, SHA384, and SHA256).
When to suppress warnings
Suppress a warning from this rule when the level of protection needed for the data does not require a security guarantee.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5350
// The code that's violating the rule is on this line.
#pragma warning restore CA5350
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5350.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples
As of the time of this writing, the following pseudo-code sample illustrates the pattern detected by this rule.
SHA-1 Hashing Violation
using System.Security.Cryptography;
...
var hashAlg = SHA1.Create();
Solution:
using System.Security.Cryptography;
...
var hashAlg = SHA256.Create();
RIPEMD160 Hashing Violation
using System.Security.Cryptography;
...
var hashAlg = RIPEMD160Managed.Create();
Solution:
using System.Security.Cryptography;
...
var hashAlg = SHA256.Create();
TripleDES Encryption Violation
using System.Security.Cryptography;
...
using (TripleDES encAlg = TripleDES.Create())
{
...
}
Solution:
using System.Security.Cryptography;
...
using (AesManaged encAlg = new AesManaged())
{
...
}
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for