Events
17 Mar, 9 pm - 21 Mar, 10 am
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowCA5373: Do not use obsolete key derivation function
| Property | Value |
|---|---|
| Rule ID | CA5373 |
| Title | Do not use obsolete key derivation function |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 9 | No |
Cryptographically weak key derivation methods System.Security.Cryptography.PasswordDeriveBytes and/or Rfc2898DeriveBytes.CryptDeriveKey are used to generate a key.
This rule detects the invocation of weak key derivation methods System.Security.Cryptography.PasswordDeriveBytes and Rfc2898DeriveBytes.CryptDeriveKey.
System.Security.Cryptography.PasswordDeriveBytes used a weak algorithm PBKDF1. Rfc2898DeriveBytes.CryptDeriveKey does not use iteration count and salt from the Rfc2898DeriveBytes object, which makes it weak.
Password-based key derivation should use the PBKDF2 algorithm with SHA-2 hashing. Rfc2898DeriveBytes.GetBytes can be used to achieve that.
Suppress the warning if the risk associated with using PBKDF1 is carefully reviewed and accepted.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
C#
#pragma warning disable CA5373
// The code that's violating the rule is on this line.
#pragma warning restore CA5373
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
ini
[*.{cs,vb}]
dotnet_diagnostic.CA5373.severity = none
For more information, see How to suppress code analysis warnings.
As of the time of this writing, the following pseudo-code sample illustrates the pattern detected by this rule.
C#
using System;
using System.Security.Cryptography;
class TestClass
{
public void TestMethod(Rfc2898DeriveBytes rfc2898DeriveBytes, string algname, string alghashname, int keySize, byte[] rgbIV)
{
rfc2898DeriveBytes.CryptDeriveKey(algname, alghashname, keySize, rgbIV);
}
}
C#
using System;
using System.Security.Cryptography;
class TestClass
{
public void TestMethod(Rfc2898DeriveBytes rfc2898DeriveBytes)
{
rfc2898DeriveBytes.GetBytes(1);
}
}
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
.NET feedback
.NET is an open source project. Select a link to provide feedback: