Strong cipher algorithms are cryptographic systems resistant to cryptanalysis, they are not vulnerable to well-known attacks like brute force attacks for example.

A general recommendation is to only use cipher algorithms intensively tested and promoted by the cryptographic community.

More specifically for block cipher, it’s not recommended to use algorithm with a block size inferior than 128 bits.

Noncompliant Code Example

For System.Security.Cryptography library, these old cryptographic algorithms should no longer be used for any reason:

Dim TripleDES1 As new TripleDESCryptoServiceProvider() ' Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack

Dim SimpleDES As New DESCryptoServiceProvider() ' Noncompliant: DES works with 56-bit keys allow attacks via exhaustive search

Dim RC2 As new RC2CryptoServiceProvider() ' Noncompliant: RC2 is vulnerable to a related-key attack

For Bouncycastle library, AESFastEngine has a side channel leak, it is possible to gain information about the key used to initialize the cipher:

Dim AesFast As new AesFastEngine() ' Noncompliant

Compliant Solution

For System.Security.Cryptography library, it’s recommended to use AesCryptoServiceProvider:

Dim AES As new AesCryptoServiceProvider() ' Compliant

For Bouncycastle library, it’s recommended to use AESEngine:

Dim AES As new AESEngine() ' Compliant

See

• OWASP Top 10 2021 Category A2 - Cryptographic Failures
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• MITRE, CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
• SANS Top 25 - Porous Defenses