Rule Wars
All rules
CA5401Security Enabled by default: No

Do not use CreateEncryptor with non-default IV

Do not use CreateEncryptor with non-default IV

Microsoft docs

Description

Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks.

This rule is similar to CA5402, but analysis determines that the initialization vector is definitely the default.

Cause

Using System.Security.Cryptography.SymmetricAlgorithm.CreateEncryptor with non-default rgbIV.

How to fix violations

Use the default rgbIV value, that is, use the overload of the System.Security.Cryptography.SymmetricAlgorithm.CreateEncryptor which doesn't have any parameter.

Example

using System.Security.Cryptography;

class ExampleClass
{
    public void ExampleMethod(byte[] rgbIV)
    {
        AesCng aesCng  = new AesCng();
        aesCng.IV = rgbIV;
        aesCng.CreateEncryptor();
    }
}

using System.Security.Cryptography;

class ExampleClass
{
    public void ExampleMethod()
    {
        AesCng aesCng  = new AesCng();
        aesCng.CreateEncryptor();
    }
}

When to suppress

It's safe to suppress a warning from this rule if:

  • The rgbIV parameter was generated by System.Security.Cryptography.SymmetricAlgorithm.GenerateIV.
  • You're sure that the rgbIV is really random and non-repeatable.
Your vote
Join a group to vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0