The use of a non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever data has been protected. Standard algorithms like AES, RSA, SHA, …​ should be used instead.

This rule tracks custom implementation of these types from System.Security.Cryptography namespace:

• AsymmetricAlgorithm
• AsymmetricKeyExchangeDeformatter
• AsymmetricKeyExchangeFormatter
• AsymmetricSignatureDeformatter
• AsymmetricSignatureFormatter
• DeriveBytes
• HashAlgorithm
• ICryptoTransform
• SymmetricAlgorithm

Recommended Secure Coding Practices

• Use a standard algorithm instead of creating a custom one.

Sensitive Code Example

Public Class CustomHash     ' Noncompliant
    Inherits HashAlgorithm

    Private fResult() As Byte

    Public Overrides Sub Initialize()
        fResult = Nothing
    End Sub

    Protected Overrides Function HashFinal() As Byte()
        Return fResult
    End Function

    Protected Overrides Sub HashCore(array() As Byte, ibStart As Integer, cbSize As Integer)
        fResult = If(fResult, array.Take(8).ToArray)
    End Sub

End Class

Compliant Solution

Dim mySHA256 As SHA256 = SHA256.Create()

See

• OWASP Top 10 2021 Category A2 - Cryptographic Failures
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• MITRE, CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
• SANS Top 25 - Porous Defenses
• Derived from FindSecBugs rule MessageDigest is Custom