CA5350: Do Not Use Weak Cryptographic Algorithms

Property Value
Rule ID CA5350
Title Do Not Use Weak Cryptographic Algorithms
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 8 No

Note

This warning was last updated on November 2015.

Cause

Encryption algorithms such as TripleDES and hashing algorithms such as SHA1 and RIPEMD160 are considered to be weak.

These cryptographic algorithms do not provide as much security assurance as more modern counterparts. Cryptographic hashing algorithms SHA1 and RIPEMD160 provide less collision resistance than more modern hashing algorithms. The encryption algorithm TripleDES provides fewer bits of security than more modern encryption algorithms.

Rule description

Weak encryption algorithms and hashing functions are used today for a number of reasons, but they should not be used to guarantee the confidentiality of the data they protect.

The rule triggers when it finds 3DES, SHA1 or RIPEMD160 algorithms in the code and throws a warning to the user.

How to fix violations

Use cryptographically stronger options:

  • For TripleDES encryption, use Aes encryption.

  • For SHA1 or RIPEMD160 hashing functions, use ones in the SHA-2 family (for example, SHA512, SHA384, and SHA256).

When to suppress warnings

Suppress a warning from this rule when the level of protection needed for the data does not require a security guarantee.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5350
// The code that's violating the rule is on this line.
#pragma warning restore CA5350

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5350.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

As of the time of this writing, the following pseudo-code sample illustrates the pattern detected by this rule.

SHA-1 Hashing Violation

using System.Security.Cryptography;
...
var hashAlg = SHA1.Create();

Solution:

using System.Security.Cryptography;
...
var hashAlg = SHA256.Create();

RIPEMD160 Hashing Violation

using System.Security.Cryptography;
...
var hashAlg = RIPEMD160Managed.Create();

Solution:

using System.Security.Cryptography;
...
var hashAlg = SHA256.Create();

TripleDES Encryption Violation

using System.Security.Cryptography;
...
using (TripleDES encAlg = TripleDES.Create())
{
  ...
}

Solution:

using System.Security.Cryptography;
...
using (AesManaged encAlg = new AesManaged())
{
  ...
}