CS.RCA

Risky cryptographic algorithm used

If a program operates by sensitive data or protects a communication channel, you may use cryptography to prevent attackers from reading it. There are several obsolete cryptographic algorithms which have proven to create weaknesses against attack.

The CS.RCA checker is a specialized checker that looks for usage of known broken or risky cryptographic algorithms in a program.

Vulnerability and risk

If a program uses broken or risky algorithms in data processing, it could lead to security weaknesses within a program. CWE-327 lists MD4, MD5, SHA1, DES and other algorithms as broken or risky for use. There are several algorithms in the System.Security.Cryptography namespace of .Net Framework supposed for compatibility, but are not recommended for use:

Obsolete algorithm Replacement algorithm(s)
DES AES
TripleDES AES
MD5 SHA256, SHA512
RC2 AES
DSA RSA, ECDSA, ECDiffeHellman
RIPEMD160 SHA256, SHA512
Rijndael AES
SHA1 SHA256, SHA512

Example 1

An instance of a class which represents a risky algorithm is created with the new operator.

Copy
  using System.Security.Cryptography;
  
  namespace Program
  {
      class Program
      {
          public static void Main()
          {
              var desEncryptor = new DESCryptoServiceProvider(); // CS.RCA reported
         }
     }
 }

Example 2

Create method of a class which represents a risky algorithm is invoked.

Copy
  using System.Security.Cryptography;
  
  namespace Program
  {
      class Program
      {
          public static void Main()
          {
              var desEncryptor = DES.Create(); // CS.RCA reported
         }
     }
 }

Example 3

A custom class is inherited from a class which represents a risky algorithm.

Copy
  using System.Security.Cryptography;
 
  namespace Program
  {
      class MyDESEcryptWrapper : DES // CS.RCA reported
      {
          ...
      }
  }

Security training

Application security training materials provided by Secure Code Warrior.