CA5385: Use Rivest–Shamir–Adleman (RSA) algorithm with sufficient key size
Property | Value |
---|---|
Rule ID | CA5385 |
Title | Use Rivest–Shamir–Adleman (RSA) algorithm with sufficient key size |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 9 | No |
Cause
Using asymmetric encryption algorithm RSA with key size less than 2048 in one of the following ways:
- Instantiating any descendant classes of System.Security.Cryptography.RSA and specifying the
KeySize
parameter as less than 2048. - Returning any object whose type is descendant of System.Security.Cryptography.RSA.
- Using System.Security.Cryptography.AsymmetricAlgorithm.Create without parameter which would create RSA with the default key size 1024.
- Using System.Security.Cryptography.AsymmetricAlgorithm.Create and specifying the
algName
parameter asRSA
with the default key size 1024. - Using System.Security.Cryptography.CryptoConfig.CreateFromName and specifying the
name
parameter asRSA
with the default key size 1024. - Using System.Security.Cryptography.CryptoConfig.CreateFromName and specifying the
name
parameter asRSA
and specifying the key size as smaller than 2048 explicitly byargs
.
Rule description
An RSA key smaller than 2048 bits is more vulnerable to brute force attacks.
How to fix violations
Switch to an RSA with at least 2048 key size, ECDH or ECDsa algorithm instead.
When to suppress warnings
It is not recommended to suppress this rule unless for compatibility with legacy applications and data.
Suppress a warning
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5385
// The code that's violating the rule is on this line.
#pragma warning restore CA5385
To disable the rule for a file, folder, or project, set its severity to none
in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5385.severity = none
For more information, see How to suppress code analysis warnings.
Example
The following code snippet illustrates the pattern detected by this rule.
Violation:
using System.Security.Cryptography;
class ExampleClass
{
public void ExampleMethod()
{
RSACng rsaCng = new RSACng(1024);
}
}
Solution:
using System.Security.Cryptography;
class ExampleClass
{
public void ExampleMethod()
{
RSACng rsaCng = new RSACng(2048);
}
}