Weak encryption: inadequate RSA padding¶

ID: cs/inadequate-rsa-padding
Kind: problem
Security severity: 7.5
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-327
   - external/cwe/cwe-780
Query suites:
   - csharp-code-scanning.qls
   - csharp-security-extended.qls
   - csharp-security-and-quality.qls

Click to see the query in the CodeQL repository

This query finds uses of RSA encryption without secure padding. Using PKCS#1 v1.5 padding can open up your application to several different attacks resulting in the exposure of the encryption key or the ability to determine plaintext from encrypted messages.

Recommendation¶

Use the more secure PKCS#1 v2 (OAEP) padding.

References¶

Wikipedia. RSA. Padding Schemes.
Common Weakness Enumeration: CWE-327.
Common Weakness Enumeration: CWE-780.

© GitHub, Inc.
Terms
Privacy