CA5350: Do Not Use Weak Cryptographic Algorithms

Cause

Encryption algorithms such as TripleDES and hashing algorithms such as SHA1 and RIPEMD160 are considered to be weak.

These cryptographic algorithms do not provide as much security assurance as more modern counterparts. Cryptographic hashing algorithms SHA1 and RIPEMD160 provide less collision resistance than more modern hashing algorithms. The encryption algorithm TripleDES provides fewer bits of security than more modern encryption algorithms.

Rule Description

Weak encryption algorithms and hashing functions are used today for a number of reasons, but they should not be used to guarantee the confidentiality of the data they protect.

The rule triggers when it finds 3DES, SHA1 or RIPEMD160 algorithms in the code and throws a warning to the user.

How to Fix Violations

Use cryptographically stronger options:

• For TripleDES encryption, use Aes encryption.

• For SHA1 or RIPEMD160 hashing functions, use ones in the SHA-2 family (e.g. SHA512, SHA384, SHA256).

When to Suppress Warnings

Suppress a warning from this rule when the level of protection needed for the data does not require a security guarantee.

Pseudo-code Example

As of the time of this writing, the following pseudo-code sample illustrates the pattern detected by this rule.

SHA-1 Hashing Violation

using System.Security.Cryptography;
...
var hashAlg = SHA1.Create();

Solution

using System.Security.Cryptography;
...
var hashAlg = SHA256.Create();

RIPEMD160

Hashing Violation

using System.Security.Cryptography;
...
var hashAlg = RIPEMD160Managed.Create();

Solution

using System.Security.Cryptography;
...
var hashAlg = SHA256.Create();

TripleDES Encryption Violation

using System.Security.Cryptography;
...
using (TripleDES encAlg = TripleDES.Create())
{
  ...
}

Solution

using System.Security.Cryptography;
...
using (AesManaged encAlg = new AesManaged())
{
  ...
}