Create rule S5344: Passwords should not be stored in plain-text or with a fast hashing algorithm #8998
Labels
Area: C#
C# rules related issues.
Area: Security
Related to Vulnerability and Security Hotspot rules
Type: New Rule
Implementation for a rule that HAS been specified.
Milestone
PasswordHasherOptions
.IterationCount < 100K (Core)PasswordHasherOptions
.CompatibilityMode == IdentityV2 (Core)KeyDerivation
.Pbkdf2.iterationCount < 100K (Core)Rfc2898DeriveBytes.
Pbkdf2.iterations < 100K (Core)PasswordHasher
instantiated (FRM)Rfc2898DeriveBytes
.iterations < 100K (cross-platform)Rfc2898DeriveBytes
.hashAlgorithm does not exist (cross-platform)OpenBsdCrypt
/BCrypt
).Generate.cost < 12 (BouncyCastle)PbeParametersGenerator
.Init.iterationCount < 100K (BouncyCastle)SCrypt
.Generate N < 2^12, r < 8, or dklen < 32 (BouncyCastle)Why
As part of MMF-3716, we want to close the gap between C# and other languages regarding cryptography-related rules support. S5344 is one of the rules that is not currently supported by this analyzer.
What
S5344 aims to detect when passwords are stored in clear text or with a fast hashing algorithm. Here, we will focus on detecting cost tweakable password hashing function configured with insufficiently strong parameters. The detection logic will be split between three components: .NET core, .NET framework and BouncyCastle.
Detection logic
.Net Core
For
Microsoft.AspNetCore.Identity
:Raise on
PasswordHasherOptions
attributes matching :IterationCount
is < 100 000CompatibilityMode
is set toPasswordHasherCompatibilityMode.IdentityV2
Example code
For
Microsoft.AspNetCore.Cryptography.KeyDerivation
:Raise when
KeyDerivation.Pbkdf2
is called withiterationCount
< 100 000.Example code
For
System.Security.Cryptography
:Raise when Rfc2898DeriveBytes is instantiated with an
iterations
parameter < 100 000.Raise when Rfc2898DeriveBytes is instantiated without a
hashAlgorithm
parameter.Raise when Rfc2898DeriveBytes.Pbkdf2 is called with an
iterations
parameter < 100 000.Example code
.Net Framework
For
Microsoft.AspNet.Identity
Raise any time a
PasswordHasher
is instantiated.Example code
For
System.Security.Cryptography
:Raise when Rfc2898DeriveBytes is instantiated with an
iterations
parameter < 10 000.Raise when Rfc2898DeriveBytes is instantiated without a
hashAlgorithm
parameter.Example code
BouncyCastle
For
Org.BouncyCastle.Crypto.Generators.OpenBsdBCrypt
, orOrg.BouncyCastle.Crypto.Generators.BCrypt
:Raise when
Generate
is called with cost < 12.For
Org.BouncyCastle.Crypto.PbeParametersGenerator
:Raise when
Init
is called withiterationCount
< 100 000. Note that this method is usually indirectly called by a subclass such asOrg.BouncyCastle.Crypto.Generators.Pkcs5S2ParametersGenerator
.For
Org.BouncyCastle.Crypto.Generators.SCrypt
:Raise when
Generate
is called with N < 2^12, r < 8, or dklen < 32.Example code
RSPEC
This rule's RSPEC contains information regarding messages and highlighting:
The text was updated successfully, but these errors were encountered: