Sündmused
17. märts, 21 - 21. märts, 10
Liituge sarjaga, et luua muude arendajate ja ekspertidega skaleeritavad tehisintellektilahendused, mis põhinevad reaalajas kasutusjuhtumitel.
Registreeruge koheSeda brauserit enam ei toetata.
Uusimate funktsioonide, turbevärskenduste ja tehnilise toe kasutamiseks võtke kasutusele Microsoft Edge.
Property | Value |
---|---|
Rule ID | CA5373 |
Title | Do not use obsolete key derivation function |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 9 | No |
Cryptographically weak key derivation methods System.Security.Cryptography.PasswordDeriveBytes and/or Rfc2898DeriveBytes.CryptDeriveKey are used to generate a key.
This rule detects the invocation of weak key derivation methods System.Security.Cryptography.PasswordDeriveBytes and Rfc2898DeriveBytes.CryptDeriveKey.
System.Security.Cryptography.PasswordDeriveBytes used a weak algorithm PBKDF1. Rfc2898DeriveBytes.CryptDeriveKey does not use iteration count and salt from the Rfc2898DeriveBytes
object, which makes it weak.
Password-based key derivation should use the PBKDF2 algorithm with SHA-2 hashing. Rfc2898DeriveBytes.GetBytes can be used to achieve that.
Suppress the warning if the risk associated with using PBKDF1 is carefully reviewed and accepted.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5373
// The code that's violating the rule is on this line.
#pragma warning restore CA5373
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5373.severity = none
For more information, see How to suppress code analysis warnings.
As of the time of this writing, the following pseudo-code sample illustrates the pattern detected by this rule.
using System;
using System.Security.Cryptography;
class TestClass
{
public void TestMethod(Rfc2898DeriveBytes rfc2898DeriveBytes, string algname, string alghashname, int keySize, byte[] rgbIV)
{
rfc2898DeriveBytes.CryptDeriveKey(algname, alghashname, keySize, rgbIV);
}
}
using System;
using System.Security.Cryptography;
class TestClass
{
public void TestMethod(Rfc2898DeriveBytes rfc2898DeriveBytes)
{
rfc2898DeriveBytes.GetBytes(1);
}
}
Toote „.NET“ tagasiside
.NET on avatud lähtekoodiga projekt. Tagasiside andmiseks valige link:
Sündmused
17. märts, 21 - 21. märts, 10
Liituge sarjaga, et luua muude arendajate ja ekspertidega skaleeritavad tehisintellektilahendused, mis põhinevad reaalajas kasutusjuhtumitel.
Registreeruge kohe