CS.RCA

Risky cryptographic algorithm used

If a program operates by sensitive data or protects a communication channel, you may use cryptography to prevent attackers from reading it. There are several obsolete cryptographic algorithms which have proven to create weaknesses against attack.

The CS.RCA checker is a specialized checker that looks for usage of known broken or risky cryptographic algorithms in a program.

Vulnerability and risk

If a program uses broken or risky algorithms in data processing, it could lead to security weaknesses within a program. CWE-327 lists MD4, MD5, SHA1, DES and other algorithms as broken or risky for use. There are several algorithms in the System.Security.Cryptography namespace of .Net Framework supposed for compatibility, but are not recommended for use:

Example 1

An instance of a class which represents a risky algorithm is created with the new operator.

1  using System.Security.Cryptography;
2  
3  namespace Program
4  {
5      class Program
6      {
7          public static void Main()
8          {
9              var desEncryptor = new DESCryptoServiceProvider(); // CS.RCA reported
10         }
11     }
12 }

Example 2

Create method of a class which represents a risky algorithm is invoked.

1  using System.Security.Cryptography;
2  
3  namespace Program
4  {
5      class Program
6      {
7          public static void Main()
8          {
9              var desEncryptor = DES.Create(); // CS.RCA reported
10         }
11     }
12 }                            

Example 3

A custom class is inherited from a class which represents a risky algorithm.

1  using System.Security.Cryptography;
2 
3  namespace Program
4  {
5      class MyDESEcryptWrapper : DES // CS.RCA reported
6      {
7          ...
8      }
9  }    

Related checkers

• RCA
• SV.WEAK_CRYPTO.WEAK_HASH
• SV.WEAK.CRYPT