CS.RCA
Risky cryptographic algorithm used
If a program operates by sensitive data or protects a communication channel, you may use cryptography to prevent attackers from reading it. There are several obsolete cryptographic algorithms which have proven to create weaknesses against attack.
The CS.RCA checker is a specialized checker that looks for usage of known broken or risky cryptographic algorithms in a program.
Vulnerability and risk
If a program uses broken or risky algorithms in data processing, it could lead to security weaknesses within a program. CWE-327 lists MD4, MD5, SHA1, DES and other algorithms as broken or risky for use. There are several algorithms in the System.Security.Cryptography namespace of .Net Framework supposed for compatibility, but are not recommended for use:
| Obsolete algorithm | Replacement algorithm(s) |
|---|---|
| DES | AES |
| TripleDES | AES |
| MD5 | SHA256, SHA512 |
| RC2 | AES |
| DSA | RSA, ECDSA, ECDiffeHellman |
| RIPEMD160 | SHA256, SHA512 |
| Rijndael | AES |
| SHA1 | SHA256, SHA512 |
Example 1
An instance of a class which represents a risky algorithm is created with the new operator.
using System.Security.Cryptography;
namespace Program
{
class Program
{
public static void Main()
{
var desEncryptor = new DESCryptoServiceProvider(); // CS.RCA reported
}
}
}Example 2
Create method of a class which represents a risky algorithm is invoked.
using System.Security.Cryptography;
namespace Program
{
class Program
{
public static void Main()
{
var desEncryptor = DES.Create(); // CS.RCA reported
}
}
}Example 3
A custom class is inherited from a class which represents a risky algorithm.
using System.Security.Cryptography;
namespace Program
{
class MyDESEcryptWrapper : DES // CS.RCA reported
{
...
}
}Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.