CA5401: Do not use CreateEncryptor with non-default IV

Article
09/06/2023

Property	Value
Rule ID	CA5401
Title	Do not use CreateEncryptor with non-default IV
Category	Security
Fix is breaking or non-breaking	Non-breaking
Enabled by default in .NET 8	No

Cause

Using System.Security.Cryptography.SymmetricAlgorithm.CreateEncryptor with non-default rgbIV.

Rule description

Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks.

This rule is similar to CA5402, but analysis determines that the initialization vector is definitely the default.

How to fix violations

Use the default rgbIV value, that is, use the overload of the System.Security.Cryptography.SymmetricAlgorithm.CreateEncryptor which doesn't have any parameter.

When to suppress warnings

It's safe to suppress a warning from this rule if:

The rgbIV parameter was generated by System.Security.Cryptography.SymmetricAlgorithm.GenerateIV.
You're sure that the rgbIV is really random and non-repeatable.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5401
// The code that's violating the rule is on this line.
#pragma warning restore CA5401

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5401.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

using System.Security.Cryptography;

class ExampleClass
{
    public void ExampleMethod(byte[] rgbIV)
    {
        AesCng aesCng  = new AesCng();
        aesCng.IV = rgbIV;
        aesCng.CreateEncryptor();
    }
}

Solution

using System.Security.Cryptography;

class ExampleClass
{
    public void ExampleMethod()
    {
        AesCng aesCng  = new AesCng();
        aesCng.CreateEncryptor();
    }
}