Use of broken or insecure cryptographic algorithms
Description
The code uses DES, TripleDES, or RC2, which are considered broken or insecure cryptographic algorithms. It is recommended to use ChaCha20Poly1305 for .NET Framework greater than version 6.0, or AES-256-GCM for older applications.
Examples
Insecure Code
c#
using System.Security.Cryptography; new DESCryptoServiceProvider();Secure Code
c#
using (ChaCha20Poly1305 encryptor = new ChaCha20Poly1305(key)) { ... }Remediation
Replace the insecure algorithms with ChaCha20Poly1305 or AES-256-GCM.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0442 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-327 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | cryptography, insecure algorithm |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |