-
Notifications
You must be signed in to change notification settings - Fork 36
Cryptography
Whenever encryption is performed, the resulting ciphertext must be authenticated to prevent tampering. Verify that the application uses an authenticated mode or applies a secure HMAC to any ciphertext, and that the HMAC is verified before performing any operations on the ciphertext (see The Cryptographic Doom Principle by Moxie Marlinspike).
Applications that use block ciphers should use an authenticated mode, such as GCM, if possible. Verify that the application does not use ECB mode, and does not use other modes (CBC, CTR, etc.) in an insecure manner.
In all block cipher modes, initialization vectors (IVs) must not be reused. Check that the initialization vector is not static or insufficiently random.
In CBC mode, initialization vectors must not be predictable under certain threat models. If the application uses encryption in CBC mode, verify that IVs are generated using a secure random number generator.
Some cryptographic algorithms (most commonly, asymmetric algorithms such as Diffie-Hellman) require parameters to be exchanged between parties. However, not all parameter values are allowed; some malicious parameters can completely eliminate the security of the algorithm if used.
If the application uses or implements a cryptographic primitive that requires parameters to be exchanged, verify that those parameters are validated to ensure dangerous or degenerate values are not accepted.
Programs make use of random number generators (RNG) - which output uniform and hard-to-predict numbers - for testing, simulation, to vary functionality, or for security. In practice, random number generation is implemented using a psuedo-random algorithm (PRNG); different algorithms have different security properties. When used in a context that requires the numbers to be truly unpredictable, usage of an insecure random number generator can completely defeat the security of the system. Using an insecure generator, or seeding a secure generator with a predictable value, can allow an attacker to predict the generator's output.
Verify that, for any security-relevant functionality, the application uses only a cryptographic RNG, and does not perform its own seeding.
A cryptographic hash is a function that takes a string of bytes and returns a small, fixed-size value. Hash functions guarantee that the same input always results in the same output. When used for security, the most important property of a hash function is that it is impossible for an attacker to produce two inputs that hash to the same value (called a collision). Hashes that don't have this property are considered to be insecure.
Verify that, for any security-relevant functionality, the application uses a secure hashing algorithm such as SHA256, SHA512, SHA3, or Blake2b.