Rule Wars
All rules
CA5387Security Enabled by default: No

Do not use weak key derivation function with insufficient iteration count

Do not use weak key derivation function with insufficient iteration count

Microsoft docs

Description

This rule checks if a cryptographic key was generated by System.Security.Cryptography.Rfc2898DeriveBytes with an iteration count of less than 100,000. A higher iteration count can help mitigate against dictionary attacks that try to guess the generated cryptographic key.

This rule is similar to CA5388, but analysis determines that the iteration count is less than 100,000.

Cause

Using System.Security.Cryptography.Rfc2898DeriveBytes.GetBytes with the default iteration count or specifying an iteration count of less than 100,000.

By default, this rule analyzes the entire codebase, but this is configurable.

How to fix violations

Set the iteration count greater than or equal with 100,000 before calling System.Security.Cryptography.Rfc2898DeriveBytes.GetBytes.

Example

using System.Security.Cryptography;

class ExampleClass
{
    public void ExampleMethod(string password, byte[] salt, int cb)
    {
        var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, salt);
        rfc2898DeriveBytes.GetBytes(cb);
    }
}

using System.Security.Cryptography;

class ExampleClass
{
    public void ExampleMethod(string password, byte[] salt, int cb)
    {
        var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, salt, 100);
        rfc2898DeriveBytes.GetBytes(cb);
    }
}

using System.Security.Cryptography;

class ExampleClass
{
    public void ExampleMethod(string password, byte[] salt, int cb)
    {
        var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, salt);
        rfc2898DeriveBytes.IterationCount = 100;
        rfc2898DeriveBytes.GetBytes(cb);
    }
}

using System.Security.Cryptography;

class ExampleClass
{
    public void ExampleMethod(string password, byte[] salt, int cb)
    {
        var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, salt);
        rfc2898DeriveBytes.IterationCount = 100000;
        rfc2898DeriveBytes.GetBytes(cb);
    }
}

When to suppress

It's safe to suppress a warning if you need to use a smaller iteration count for compatibility with existing data.

Your vote
Join a group to vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0