Do not use obsolete key derivation function
Do not use obsolete key derivation function
Microsoft docsDescription
This rule detects the invocation of weak key derivation methods System.Security.Cryptography.PasswordDeriveBytes and System.Security.Cryptography.Rfc2898DeriveBytes.CryptDeriveKey. System.Security.Cryptography.PasswordDeriveBytes used a weak algorithm PBKDF1. System.Security.Cryptography.Rfc2898DeriveBytes.CryptDeriveKey does not use iteration count and salt from the Rfc2898DeriveBytes object, which makes it weak.
Cause
Cryptographically weak key derivation methods System.Security.Cryptography.PasswordDeriveBytes and/or System.Security.Cryptography.Rfc2898DeriveBytes.CryptDeriveKey are used to generate a key.
How to fix violations
Password-based key derivation should use the PBKDF2 algorithm with SHA-2 hashing. System.Security.Cryptography.Rfc2898DeriveBytes.GetBytes can be used to achieve that.
Example
using System;
using System.Security.Cryptography;
class TestClass
{
public void TestMethod(Rfc2898DeriveBytes rfc2898DeriveBytes, string algname, string alghashname, int keySize, byte[] rgbIV)
{
rfc2898DeriveBytes.CryptDeriveKey(algname, alghashname, keySize, rgbIV);
}
}
using System;
using System.Security.Cryptography;
class TestClass
{
public void TestMethod(Rfc2898DeriveBytes rfc2898DeriveBytes)
{
rfc2898DeriveBytes.GetBytes(1);
}
}When to suppress
Suppress the warning if the risk associated with using PBKDF1 is carefully reviewed and accepted.