CA5358: Do Not Use Unsafe Cipher Modes

Property Value
Rule ID CA5358
Title Do Not Use Unsafe Cipher Modes
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 9 No

Cause

Use of one of the following unsafe encryption modes that is not approved:

Rule description

These modes are vulnerable to attacks and may cause exposure of sensitive information. For example, using ECB to encrypt a plaintext block always produces a same cipher text, so it can easily tell if two encrypted messages are identical. Using approved modes can avoid these unnecessary risks.

How to fix violations

When to suppress warnings

It's safe to suppress a warning from this rule if:

  • Cryptography experts have reviewed and approved the cipher mode's usage.
  • The referenced CipherMode isn't used for a cryptographic operation.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5358
// The code that's violating the rule is on this line.
#pragma warning restore CA5358

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5358.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Assign ECB to Mode property

using System.Security.Cryptography;

class ExampleClass {
    private static void ExampleMethod () {
        RijndaelManaged rijn = new RijndaelManaged
        {
            Mode = CipherMode.ECB
        };
    }
}

Using the value ECB

using System;
using System.Security.Cryptography;

class ExampleClass
{
    private static void ExampleMethod()
    {
        Console.WriteLine(CipherMode.ECB);
    }
}

Solution

using System.Security.Cryptography;

class ExampleClass {
    private static void ExampleMethod () {
        RijndaelManaged rijn = new RijndaelManaged
        {
            Mode = CipherMode.CBC
        };
    }
}