Uploaded image for project: 'C# Driver'
  1. C# Driver
  2. CSHARP-4032

MD5.Create Method Use of Broken Cryptographic Algorithms

    • Type: Icon: Bug Bug
    • Resolution: Gone away
    • Priority: Icon: Critical - P2 Critical - P2
    • None
    • Affects Version/s: None
    • Component/s: API

      Summary

      MD5 Hashing Violation was found in Mongo Driver C#.
      See Microsoft security rule CA5351

      https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5351

      The hashing algorithm used, MD5, has been found by researchers to be unsafe for protecting sensitive data with today's technology.

      Please provide the version of the driver. If applicable, please provide the MongoDB server version and topology (standalone, replica set, or sharded cluster).

      .NET Driver Version 2.14.1

      How to Reproduce

      Steps to reproduce. If possible, please include a Short, Self Contained, Correct (Compilable), Example.

      Additional Background

      Please provide any additional background information that may be helpful in diagnosing the bug.
      **Line affected in **

      *AuthenticationHelper.cs*

      mongo-csharp-driver/blob/master/src/MongoDB.Driver.Core/Core/Authentication/AuthenticationHelper.cs

      private static string MongoPasswordDigest(string username, byte[] passwordBytes)
      {
      var prefixString = username + ":mongo:";
      var prefixBytes = Utf8Encodings.Strict.GetBytes(prefixString);

      var buffer = new byte[prefixBytes.Length + passwordBytes.Length];
      var bufferHandle = GCHandle.Alloc(buffer, GCHandleType.Pinned);
      try
      {
      Buffer.BlockCopy(prefixBytes, 0, buffer, 0, prefixBytes.Length);
      Buffer.BlockCopy(passwordBytes, 0, buffer, prefixBytes.Length, passwordBytes.Length);

      using (var md5 = MD5.Create())

      { var hash = md5.ComputeHash(buffer); return BsonUtils.ToHexString(hash); }

      }
      finally

      { Array.Clear(buffer, 0, buffer.Length); bufferHandle.Free(); }

      }

            Assignee:
            robert@mongodb.com Robert Stam
            Reporter:
            latitude80uk@gmail.com Femi Osibote
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: