Kaganapan
Mar 17, 9 PM - Mar 21, 10 AM
Sumali sa serye ng meetup upang bumuo ng mga scalable AI solusyon batay sa mga kaso ng paggamit ng tunay na mundo sa mga kapwa developer at eksperto.
Magparehistro naCA5373: Do not use obsolete key derivation function
| Property | Value |
|---|---|
| Rule ID | CA5373 |
| Title | Do not use obsolete key derivation function |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 9 | No |
Cryptographically weak key derivation methods System.Security.Cryptography.PasswordDeriveBytes and/or Rfc2898DeriveBytes.CryptDeriveKey are used to generate a key.
This rule detects the invocation of weak key derivation methods System.Security.Cryptography.PasswordDeriveBytes and Rfc2898DeriveBytes.CryptDeriveKey.
System.Security.Cryptography.PasswordDeriveBytes used a weak algorithm PBKDF1. Rfc2898DeriveBytes.CryptDeriveKey does not use iteration count and salt from the Rfc2898DeriveBytes object, which makes it weak.
Password-based key derivation should use the PBKDF2 algorithm with SHA-2 hashing. Rfc2898DeriveBytes.GetBytes can be used to achieve that.
Suppress the warning if the risk associated with using PBKDF1 is carefully reviewed and accepted.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
C#
#pragma warning disable CA5373
// The code that's violating the rule is on this line.
#pragma warning restore CA5373
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
ini
[*.{cs,vb}]
dotnet_diagnostic.CA5373.severity = none
For more information, see How to suppress code analysis warnings.
As of the time of this writing, the following pseudo-code sample illustrates the pattern detected by this rule.
C#
using System;
using System.Security.Cryptography;
class TestClass
{
public void TestMethod(Rfc2898DeriveBytes rfc2898DeriveBytes, string algname, string alghashname, int keySize, byte[] rgbIV)
{
rfc2898DeriveBytes.CryptDeriveKey(algname, alghashname, keySize, rgbIV);
}
}
C#
using System;
using System.Security.Cryptography;
class TestClass
{
public void TestMethod(Rfc2898DeriveBytes rfc2898DeriveBytes)
{
rfc2898DeriveBytes.GetBytes(1);
}
}
Makipagtulungan sa amin sa GitHub
Ang pinagmulan para sa content na ito ay mahahanap sa GitHub, kung saan maaari ka ring lumikha at sumuri ng mga isyu at mga pull request. Para sa higit pang impormasyon, tingnan ang aming gabay sa contributor.
Feedback sa .NET
Ang .NET ay isang open source na project. Pumili ng link para magbibigay ng feedback: