none
CWE 326 on new AesCng() RRS feed

  • Question

  • veracode.com reports Inadequate Encryption Strength (CWE ID 326) for the following C#.  This is FIPS140-2 method for creating a cipher.  Is this a flaw in veracode?

    var cipher = new AesCng()
    {
      BlockSize = 128,
      KeySize = 256,
      Mode = CipherMode.CBC,
      Padding = PaddingMode.PKCS7
    };

    The non-FIPS140-2 method does not trigger a CWE warning.  This makes no sense.

    var cipher = new AesManaged()
    {
      BlockSize = 128,
      KeySize = 256,
      Mode = CipherMode.CBC,
      Padding = PaddingMode.PKCS7
    };

    Thursday, September 7, 2017 6:32 PM

Answers

  • Hi tdhintz,

    Thank you for posting here.

    For your question is more related to veracode, you could post in veracode of StackOverFlow to get suitable support.

    https://stackoverflow.com/questions/tagged/veracode

    The CLR Forum discuss and ask questions about .NET Framework Base Classes (BCL) such as Collections, I/O, Regigistry, Globalization, Reflection. Also discuss all the other Microsoft libraries that are built on or extend the .NET Framework, including Managed Extensibility Framework (MEF), Charting Controls, CardSpace, Windows Identity Foundation (WIF), Point of Sale (POS), Transactions. 

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by tdhintz Monday, October 9, 2017 6:38 PM
    Monday, September 11, 2017 6:34 AM
    Moderator

All replies

  • From their site, encryption using this method with fixed salt will also produce this warning. (Set the dropdown menu to be "Complete" and you can see example that can raise this warning. The related one is CVE-2002-1975)

    Btw, you should probably contact their CS staffs to query whether AseManaged is covered by their code analysis, and probably on the criteria AES256CBC can trigger this warning too.


    Friday, September 8, 2017 1:50 AM
    Answerer
  • Hi tdhintz,

    Thank you for posting here.

    For your question is more related to veracode, you could post in veracode of StackOverFlow to get suitable support.

    https://stackoverflow.com/questions/tagged/veracode

    The CLR Forum discuss and ask questions about .NET Framework Base Classes (BCL) such as Collections, I/O, Regigistry, Globalization, Reflection. Also discuss all the other Microsoft libraries that are built on or extend the .NET Framework, including Managed Extensibility Framework (MEF), Charting Controls, CardSpace, Windows Identity Foundation (WIF), Point of Sale (POS), Transactions. 

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by tdhintz Monday, October 9, 2017 6:38 PM
    Monday, September 11, 2017 6:34 AM
    Moderator
  • The short story is that Veracode believes this is a false positive that they intend to fix.
    Monday, October 9, 2017 6:38 PM