From a4d60678b8400ecff86cfa8a08f3a1a38c264099 Mon Sep 17 00:00:00 2001 From: jmariasantosdekra Date: Mon, 5 Aug 2024 11:32:01 +0200 Subject: [PATCH 01/19] Added MASWE-0019.md --- weaknesses/MASVS-CRYPTO/MASWE-0019.md | 91 ++++++++++++++++----------- 1 file changed, 53 insertions(+), 38 deletions(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0019.md b/weaknesses/MASVS-CRYPTO/MASWE-0019.md index eef91014e6..f063ea0381 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0019.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0019.md @@ -1,38 +1,53 @@ ---- -title: Potentially Weak Cryptography Implementations -id: MASWE-0019 -alias: potentially-weak-crypto-impl -platform: [android, ios] -profiles: [L2] -mappings: - masvs-v1: [MSTG-CRYPTO-2] - masvs-v2: [MASVS-CRYPTO-1, MASVS-CODE-3] - -refs: -- https://cwe.mitre.org/data/definitions/1240.html -- https://cwe.mitre.org/data/definitions/327.html -- https://developer.android.com/reference/javax/crypto/Cipher#getInstance(java.lang.String) -- https://developer.android.com/privacy-and-security/security-gms-provider -- https://developer.android.com/privacy-and-security/cryptography#bc-algorithms -- https://developer.android.com/privacy-and-security/cryptography#jetpack_security_crypto_library -- https://developer.android.com/privacy-and-security/cryptography#crypto_provider -- https://developer.android.com/privacy-and-security/cryptography#deprecated-functionality -- https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile -draft: - description: Don't use outdated or known weak implementations and don't build your - own cryptography. Using custom cryptography instead of relying on established, - expert-designed APIs or certified modules exposes apps to vulnerabilities due - to potential implementation flaws and lack of rigorous security review. - topics: - - platform-provided cryptographic APIs (e.g. conscrypt/CryptoKit) - - custom-made cryptographic APIs (e.g. via xor, bit flipping, etc. or cryptographic - constants or values such as sbox, etc.) - - custom algorithms, primitives, protocols - - specify Cipher.getInstance provider (Android) - - Android Security Provider (Android) - - Jetpack Security Crypto Library (Android) - - BoucyCastle algorithms (Android) -status: draft - ---- - +--- +title: Potentially Weak Cryptography Implementations +alias: potentially-weak-crypto-impl +platform: [android, ios] +profiles: [L2] +mappings: + masvs-v1: [MSTG-CRYPTO-2] + masvs-v2: [MASVS-CRYPTO-1, MASVS-CODE-3] + mastg-v1: [MASTG-TEST-0061, MASTG-TEST-0014] + +refs: + - https://cwe.mitre.org/data/definitions/1240.html + - https://cwe.mitre.org/data/definitions/327.html + - https://developer.android.com/reference/javax/crypto/Cipher#getInstance(java.lang.String) + - https://developer.android.com/privacy-and-security/security-gms-provider + - https://developer.android.com/privacy-and-security/cryptography#bc-algorithms + - https://developer.android.com/privacy-and-security/cryptography#jetpack_security_crypto_library + - https://developer.android.com/privacy-and-security/cryptography#crypto_provider + - https://developer.android.com/privacy-and-security/cryptography#deprecated-functionality + - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile +--- + +## Overview + +The use of outdated or known weak implementations, as well as custom built cryptography poses a significant security risk, as their potential implementation flaws and lack of security review exposes apps to vulnerabilities. Instead, always use certified, expert-designed modules for cryptographic purposes. + +## Impact + +Using weak or outdated cryptography implementations can lead to a variety of security issues, including but not limited to: + +- **Read application data**: Encrypted sensitive data may be compromised by the use of a weak or broken cryptographic algorithm, as it could render it as unencrypted plaintext. +- **Modify application data**: Integrity-verified application files may be altered due to the use of broken cryptographic algorithms. +- **Hide sources of data**: Broken cryptographic algorithms may lead to the source of the data of the application to not be proven, if this algorithms are used to ensure the identity of the source of them. + +## Modes of Introduction + + +Weak, outdated or custom cryptographic algorithms can be found in several areas: + +- **App Source Code**: In modules where cryptographic algorithms are used. +- **Libraries**: Third-party or app dependencies where cryptographic algorithms are imported. + + +## Mitigations + +To mitigate the risks associated with weak cryptographic implementations, developers should: + +- Use strong and up-to-date cryptographic algorithms to manage data. +- Do not implement custom-made cryptographic algorithms, as they may be exposed to attacks. +- Manage and protect cryptoghraphic keys, using Android KeyStore or iOS Keychain. +- When using cryptographic algorithms, do not omit steps in order to improve performance. These steps are often essential for preventing attacks. +- Regularly audit the codebase and dependencies for outdated cryptographic algorithms. +- Security crypto libraries such as Jetpack or BouncyCastle are deprecated for many algorithms, avoid using them. From 6d2ee8ebc8c3281baa0d0521f6cd34fed7ebea69 Mon Sep 17 00:00:00 2001 From: jmariasantosdekra Date: Mon, 5 Aug 2024 12:37:29 +0200 Subject: [PATCH 02/19] Removed blank spaces from MASWE-0019.md --- weaknesses/MASVS-CRYPTO/MASWE-0019.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0019.md b/weaknesses/MASVS-CRYPTO/MASWE-0019.md index f063ea0381..c0f6e716e0 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0019.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0019.md @@ -34,13 +34,11 @@ Using weak or outdated cryptography implementations can lead to a variety of sec ## Modes of Introduction - Weak, outdated or custom cryptographic algorithms can be found in several areas: - **App Source Code**: In modules where cryptographic algorithms are used. - **Libraries**: Third-party or app dependencies where cryptographic algorithms are imported. - ## Mitigations To mitigate the risks associated with weak cryptographic implementations, developers should: @@ -50,4 +48,4 @@ To mitigate the risks associated with weak cryptographic implementations, develo - Manage and protect cryptoghraphic keys, using Android KeyStore or iOS Keychain. - When using cryptographic algorithms, do not omit steps in order to improve performance. These steps are often essential for preventing attacks. - Regularly audit the codebase and dependencies for outdated cryptographic algorithms. -- Security crypto libraries such as Jetpack or BouncyCastle are deprecated for many algorithms, avoid using them. +- Security crypto libraries such as Jetpack or BouncyCastle are deprecated for many algorithms, avoid using them. \ No newline at end of file From d09e475a292bc7c3095aed5661a2cb43c282d50f Mon Sep 17 00:00:00 2001 From: jmariasantosdekra Date: Mon, 5 Aug 2024 12:38:45 +0200 Subject: [PATCH 03/19] Added newline at the end of MASWE-0019.md --- weaknesses/MASVS-CRYPTO/MASWE-0019.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0019.md b/weaknesses/MASVS-CRYPTO/MASWE-0019.md index c0f6e716e0..74eb19d583 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0019.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0019.md @@ -48,4 +48,4 @@ To mitigate the risks associated with weak cryptographic implementations, develo - Manage and protect cryptoghraphic keys, using Android KeyStore or iOS Keychain. - When using cryptographic algorithms, do not omit steps in order to improve performance. These steps are often essential for preventing attacks. - Regularly audit the codebase and dependencies for outdated cryptographic algorithms. -- Security crypto libraries such as Jetpack or BouncyCastle are deprecated for many algorithms, avoid using them. \ No newline at end of file +- Security crypto libraries such as Jetpack or BouncyCastle are deprecated for many algorithms, avoid using them. From 611a6dfbf56c4ea8e89ec7f142dc925757887adb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Mar=C3=ADa=20Santos?= <99655739+jmariasantosdekra@users.noreply.github.com> Date: Wed, 4 Sep 2024 08:11:40 +0200 Subject: [PATCH 04/19] Update weaknesses/MASVS-CRYPTO/MASWE-0019.md Co-authored-by: Carlos Holguera --- weaknesses/MASVS-CRYPTO/MASWE-0019.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0019.md b/weaknesses/MASVS-CRYPTO/MASWE-0019.md index 74eb19d583..c68c5a09bc 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0019.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0019.md @@ -26,11 +26,12 @@ The use of outdated or known weak implementations, as well as custom built crypt ## Impact -Using weak or outdated cryptography implementations can lead to a variety of security issues, including but not limited to: +Custom cryptographic implementations created without following established standards make them more susceptible to attacks such as brute force or differential cryptanalysis. In addition, cryptography is notoriously difficult to implement correctly, and even small errors in a custom solution, such as incorrect padding or faulty random number generation, can completely undermine the security of the system, exposing sensitive data to attackers. -- **Read application data**: Encrypted sensitive data may be compromised by the use of a weak or broken cryptographic algorithm, as it could render it as unencrypted plaintext. -- **Modify application data**: Integrity-verified application files may be altered due to the use of broken cryptographic algorithms. -- **Hide sources of data**: Broken cryptographic algorithms may lead to the source of the data of the application to not be proven, if this algorithms are used to ensure the identity of the source of them. +The impact associated with such defects can be very broad and difficult to predict or measure: + +- **Data breaches**: Weak encryption can lead to unauthorized access to sensitive data, resulting in data breaches. +- **Compromised confidentiality, integrity, and authenticity**: The core principles of cryptography (confidentiality, integrity, and authenticity) are compromised. Attackers can decrypt, manipulate, or impersonate legitimate users or systems. ## Modes of Introduction From 45ad705fe998ba34b9e05f7c756b40afc3411c02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Mar=C3=ADa=20Santos?= <99655739+jmariasantosdekra@users.noreply.github.com> Date: Wed, 4 Sep 2024 08:13:02 +0200 Subject: [PATCH 05/19] Update weaknesses/MASVS-CRYPTO/MASWE-0019.md Co-authored-by: Carlos Holguera --- weaknesses/MASVS-CRYPTO/MASWE-0019.md | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0019.md b/weaknesses/MASVS-CRYPTO/MASWE-0019.md index c68c5a09bc..86366a5d13 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0019.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0019.md @@ -42,11 +42,6 @@ Weak, outdated or custom cryptographic algorithms can be found in several areas: ## Mitigations -To mitigate the risks associated with weak cryptographic implementations, developers should: - -- Use strong and up-to-date cryptographic algorithms to manage data. -- Do not implement custom-made cryptographic algorithms, as they may be exposed to attacks. -- Manage and protect cryptoghraphic keys, using Android KeyStore or iOS Keychain. -- When using cryptographic algorithms, do not omit steps in order to improve performance. These steps are often essential for preventing attacks. -- Regularly audit the codebase and dependencies for outdated cryptographic algorithms. -- Security crypto libraries such as Jetpack or BouncyCastle are deprecated for many algorithms, avoid using them. +- **Use standard cryptographic libraries and avoid custom cryptography**: Avoid developing custom cryptographic algorithms or protocols. Always prefer well-established and widely accepted cryptographic libraries such as OpenSSL, BoringSSL, or platform-specific libraries such as Android's Keystore and Apple's CryptoKit. These libraries have undergone extensive testing and are regularly updated to address new security threats. +- **Ensure compliance with security standards**: If you can't avoid using custom cryptography, make sure it's implemented to meet industry standards such as FIPS 140-2/3 (Federal Information Processing Standards) or the latest National Institute of Standards and Technology (NIST) recommendations. +- **Perform periodic security audits**: If using custom cryptography is unavoidable, perform regular security audits (including thorough code reviews) to identify and remediate any flaws in your custom cryptographic implementations. Engage external security experts to provide an unbiased assessment. From 531a37a12baa682f6d178d594bb8e45d12f09232 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Mar=C3=ADa=20Santos?= <99655739+jmariasantosdekra@users.noreply.github.com> Date: Wed, 4 Sep 2024 08:13:11 +0200 Subject: [PATCH 06/19] Update weaknesses/MASVS-CRYPTO/MASWE-0019.md Co-authored-by: Carlos Holguera --- weaknesses/MASVS-CRYPTO/MASWE-0019.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0019.md b/weaknesses/MASVS-CRYPTO/MASWE-0019.md index 86366a5d13..f5c1e30712 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0019.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0019.md @@ -22,7 +22,7 @@ refs: ## Overview -The use of outdated or known weak implementations, as well as custom built cryptography poses a significant security risk, as their potential implementation flaws and lack of security review exposes apps to vulnerabilities. Instead, always use certified, expert-designed modules for cryptographic purposes. +Outdated, weak, or noncompliant cryptographic implementations, such as those that do not meet established security standards such as FIPS 140-2/3 (Federal Information Processing Standards), may use algorithms that have not been sufficiently tested or that lack certification, may not follow best practices for secure key management, or may include custom cryptographic solutions that haven't undergone rigorous peer review or formal validation. ## Impact From 49dadc5734ccbea3ca0a652d2ab50f9fe99fcff6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Mar=C3=ADa=20Santos?= <99655739+jmariasantosdekra@users.noreply.github.com> Date: Wed, 4 Sep 2024 08:13:56 +0200 Subject: [PATCH 07/19] Update weaknesses/MASVS-CRYPTO/MASWE-0019.md Co-authored-by: Carlos Holguera --- weaknesses/MASVS-CRYPTO/MASWE-0019.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0019.md b/weaknesses/MASVS-CRYPTO/MASWE-0019.md index f5c1e30712..c19ab39521 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0019.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0019.md @@ -35,10 +35,11 @@ The impact associated with such defects can be very broad and difficult to predi ## Modes of Introduction -Weak, outdated or custom cryptographic algorithms can be found in several areas: - -- **App Source Code**: In modules where cryptographic algorithms are used. -- **Libraries**: Third-party or app dependencies where cryptographic algorithms are imported. +- **Deviation from standard libraries**: Not using well-known libraries for cryptography, such as those provided by the platforms like Conscrypt or CryptoKit, or other well-established libraries like OpenSSL, BouncyCastle, etc. +- **Use of cryptographic constants**: Hardcoded cryptographic constants are typically used to implement cryptographic algorithms. These constants include S-boxes (substitution boxes) for block ciphers, permutation tables, etc. +- **Use of low-level mathematical operations**: Low-level mathematical operations (such as bitwise operations, shifts, custom padding schemes) typically used in cryptographic algorithms. +- **High entropy code**: An indicator of cryptographic implementations or heavily obfuscated code that may hide cryptographic algorithms from reverse engineering. +- **Use of non-cryptographic functions**: Non-cryptographic functions such as Base64 encoding or XOR instead of encryption. ## Mitigations From f7fe868b9165f0a46bba72ff4e42f7a7fafeda02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Mar=C3=ADa=20Santos?= <99655739+jmariasantosdekra@users.noreply.github.com> Date: Wed, 4 Sep 2024 08:14:04 +0200 Subject: [PATCH 08/19] Update weaknesses/MASVS-CRYPTO/MASWE-0019.md Co-authored-by: Carlos Holguera --- weaknesses/MASVS-CRYPTO/MASWE-0019.md | 1 + 1 file changed, 1 insertion(+) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0019.md b/weaknesses/MASVS-CRYPTO/MASWE-0019.md index c19ab39521..cff7261400 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0019.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0019.md @@ -7,6 +7,7 @@ mappings: masvs-v1: [MSTG-CRYPTO-2] masvs-v2: [MASVS-CRYPTO-1, MASVS-CODE-3] mastg-v1: [MASTG-TEST-0061, MASTG-TEST-0014] + cwe: [327, 1240] refs: - https://cwe.mitre.org/data/definitions/1240.html From ed95b33e48abb4cf37f2d03441f3e9a5d1a407d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Mar=C3=ADa=20Santos?= <99655739+jmariasantosdekra@users.noreply.github.com> Date: Wed, 4 Sep 2024 08:14:13 +0200 Subject: [PATCH 09/19] Update weaknesses/MASVS-CRYPTO/MASWE-0019.md Co-authored-by: Carlos Holguera --- weaknesses/MASVS-CRYPTO/MASWE-0019.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0019.md b/weaknesses/MASVS-CRYPTO/MASWE-0019.md index cff7261400..8e649a4a62 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0019.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0019.md @@ -10,8 +10,13 @@ mappings: cwe: [327, 1240] refs: - - https://cwe.mitre.org/data/definitions/1240.html - - https://cwe.mitre.org/data/definitions/327.html + - https://book.hacktricks.xyz/crypto-and-stego/cryptographic-algorithms + - https://www.researchgate.net/publication/290181523_Evaluation_of_Cryptography_Usage_in_Android_Applications + - https://www.scitepress.org/papers/2014/50563/50563.pdf + - https://pure.tugraz.at/ws/portalfiles/portal/23858147 + - https://github.com/Wind-River/crypto-detector + - https://github.com/Rami114/cryptoscan/ + - https://github.com/IAIK/CryptoSlice - https://developer.android.com/reference/javax/crypto/Cipher#getInstance(java.lang.String) - https://developer.android.com/privacy-and-security/security-gms-provider - https://developer.android.com/privacy-and-security/cryptography#bc-algorithms From ff7dff2ac15377982c82b9c86e51d8e8fbd485ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Mar=C3=ADa=20Santos?= <99655739+jmariasantosdekra@users.noreply.github.com> Date: Wed, 4 Sep 2024 08:14:30 +0200 Subject: [PATCH 10/19] Update weaknesses/MASVS-CRYPTO/MASWE-0019.md Co-authored-by: Carlos Holguera --- weaknesses/MASVS-CRYPTO/MASWE-0019.md | 1 + 1 file changed, 1 insertion(+) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0019.md b/weaknesses/MASVS-CRYPTO/MASWE-0019.md index 8e649a4a62..7031c394df 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0019.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0019.md @@ -1,5 +1,6 @@ --- title: Potentially Weak Cryptography Implementations +id: MASWE-0019 alias: potentially-weak-crypto-impl platform: [android, ios] profiles: [L2] From 9b7a1644c1f84d4a695e9656f50d65f005cc4508 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Mar=C3=ADa=20Santos?= <99655739+jmariasantosdekra@users.noreply.github.com> Date: Wed, 4 Sep 2024 08:32:32 +0200 Subject: [PATCH 11/19] Update MASWE-0019.md From 722d802106079e27df13e87e5d128f8cbb18c325 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Wed, 4 Sep 2024 09:40:58 +0200 Subject: [PATCH 12/19] Update weaknesses/MASVS-CRYPTO/MASWE-0019.md --- weaknesses/MASVS-CRYPTO/MASWE-0019.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0019.md b/weaknesses/MASVS-CRYPTO/MASWE-0019.md index 7031c394df..e64648fa11 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0019.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0019.md @@ -50,6 +50,7 @@ The impact associated with such defects can be very broad and difficult to predi ## Mitigations -- **Use standard cryptographic libraries and avoid custom cryptography**: Avoid developing custom cryptographic algorithms or protocols. Always prefer well-established and widely accepted cryptographic libraries such as OpenSSL, BoringSSL, or platform-specific libraries such as Android's Keystore and Apple's CryptoKit. These libraries have undergone extensive testing and are regularly updated to address new security threats. +- **Use standard cryptographic libraries and avoid custom cryptography**: Avoid developing custom cryptographic algorithms or protocols. Always prefer well-established and widely accepted cryptographic libraries such as OpenSSL, BoringSSL, or platform-specific libraries such as Android's Conscrypt and Apple's CryptoKit. These libraries have undergone extensive testing and are regularly updated to address new security threats. + - **Ensure compliance with security standards**: If you can't avoid using custom cryptography, make sure it's implemented to meet industry standards such as FIPS 140-2/3 (Federal Information Processing Standards) or the latest National Institute of Standards and Technology (NIST) recommendations. - **Perform periodic security audits**: If using custom cryptography is unavoidable, perform regular security audits (including thorough code reviews) to identify and remediate any flaws in your custom cryptographic implementations. Engage external security experts to provide an unbiased assessment. From 61a1fb577a2f701dbce4d16a878259561294197b Mon Sep 17 00:00:00 2001 From: jmariasantosdekra Date: Mon, 28 Oct 2024 10:53:26 +0100 Subject: [PATCH 13/19] Added MASWE-0023.md content --- weaknesses/MASVS-CRYPTO/MASWE-0023.md | 38 ++++++++++++++++++++------- 1 file changed, 29 insertions(+), 9 deletions(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0023.md b/weaknesses/MASVS-CRYPTO/MASWE-0023.md index 27818a4a2b..17972311fc 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0023.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0023.md @@ -7,20 +7,40 @@ profiles: [L1, L2] mappings: masvs-v1: [MSTG-CRYPTO-4] masvs-v2: [MASVS-CRYPTO-1] + mastg-v1: [MASTG-TEST-0014] refs: - https://developer.android.com/privacy-and-security/cryptography#deprecated-functionality - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf - https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38a.pdf - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile -draft: - description: The use of weak padding such as NoPadding, ZeroPadding, etc. in a security - sensitive context should be avoided to ensure the integrity and authenticity of - the data. - topics: - - NoPadding - - PKCS1-v1_5 -status: draft - --- +## Overview + +Outdated or weak padding schemes, such as PKCS1v1.5 or other padding schemes that fail to comply with secure standards, such as NIST SP 800-56B are not recommended for use. These padding schemes include vulnerabilities that may allow attackers to undermine security mechanisms, such as padding oracle attacks. + +## Impact + +Weak padding schemes can completely undermine the security of the cryptographic algorithms, exposing sensitive data to attackers, and making systems vulnerable to various attacks. This can lead to: + +- **Data breaches**: Weak padding can lead to unauthorized access to sensitive data, resulting in data breaches. +- **Loss of data integrity**: Padding attacks may aid attackers in manipulating ciphertext, leading to unauthorized data modifications. +- **Compromised confidentiality**: Weak padding may aid attackers in recovering plaintext from encrypted data. + +## Modes of Introduction + +- **Insecure padding scheme**: Using padding schemes that are vulnerable to attacks, such as PKCS1V1.5 or PKCS#7 when used with CBC mode of operation. +- **Custom padding solutions**: Implementing custom or non-standard padding schemes that have not been sufficiently tested or that lack certification. +- **Improper padding validation**: Failure to correctly validate and handle padding errors, potentially leaking information to attackers via error messages or timing discrepancies. +- **Outdated cryptographic libraries**: Using libraries or algorithms with known padding vulnerabilities (e.g. Padding Oracle). + +## Mitigations + +- **Use standard cryptographic libraries and avoid custom cryptography**: Avoid developing custom cryptographic algorithms with custom padding schemes. Always prefer well-established and widely accepted cryptographic libraries such as OpenSSL, BoringSSL, or platform-specific libraries such as Android's Conscrypt and Apple's CryptoKit. These libraries have undergone extensive testing and are regularly updated to address new security threats. + +- **Implement proper and secure padding validation**: Use established and secure padding schemes, ensuring that padding is properly validated when necessary for the encryption mode. When possible, use authenticated encryption modes like GCM, which eliminate the need for padding and include built-in integrity verification. + +- **Regularly update cryptographic libraries**: Ensure the cryptographic libraries in use are up-to-date to avoid known vulnerabilities related to padding attacks. + +- **Perform periodic security audits**: If using custom cryptography is unavoidable, perform regular security audits (including thorough code reviews) to identify and remediate any flaws in your custom cryptographic implementations. Engage external security experts to provide an unbiased assessment. \ No newline at end of file From 8adaaea5428561ca71126189e059a985a1aa4af0 Mon Sep 17 00:00:00 2001 From: jmariasantosdekra Date: Mon, 28 Oct 2024 11:21:15 +0100 Subject: [PATCH 14/19] Removed newlines and blank spaces --- weaknesses/MASVS-CRYPTO/MASWE-0023.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0023.md b/weaknesses/MASVS-CRYPTO/MASWE-0023.md index 17972311fc..9adc29141e 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0023.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0023.md @@ -38,9 +38,6 @@ Weak padding schemes can completely undermine the security of the cryptographic ## Mitigations - **Use standard cryptographic libraries and avoid custom cryptography**: Avoid developing custom cryptographic algorithms with custom padding schemes. Always prefer well-established and widely accepted cryptographic libraries such as OpenSSL, BoringSSL, or platform-specific libraries such as Android's Conscrypt and Apple's CryptoKit. These libraries have undergone extensive testing and are regularly updated to address new security threats. - - **Implement proper and secure padding validation**: Use established and secure padding schemes, ensuring that padding is properly validated when necessary for the encryption mode. When possible, use authenticated encryption modes like GCM, which eliminate the need for padding and include built-in integrity verification. - - **Regularly update cryptographic libraries**: Ensure the cryptographic libraries in use are up-to-date to avoid known vulnerabilities related to padding attacks. - - **Perform periodic security audits**: If using custom cryptography is unavoidable, perform regular security audits (including thorough code reviews) to identify and remediate any flaws in your custom cryptographic implementations. Engage external security experts to provide an unbiased assessment. \ No newline at end of file From 74d6df0ef5b4f2386c59fb5f1408d57577630267 Mon Sep 17 00:00:00 2001 From: jmariasantosdekra Date: Mon, 28 Oct 2024 11:32:31 +0100 Subject: [PATCH 15/19] Added final blankspace --- weaknesses/MASVS-CRYPTO/MASWE-0023.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0023.md b/weaknesses/MASVS-CRYPTO/MASWE-0023.md index 9adc29141e..9f7ca73bed 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0023.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0023.md @@ -40,4 +40,4 @@ Weak padding schemes can completely undermine the security of the cryptographic - **Use standard cryptographic libraries and avoid custom cryptography**: Avoid developing custom cryptographic algorithms with custom padding schemes. Always prefer well-established and widely accepted cryptographic libraries such as OpenSSL, BoringSSL, or platform-specific libraries such as Android's Conscrypt and Apple's CryptoKit. These libraries have undergone extensive testing and are regularly updated to address new security threats. - **Implement proper and secure padding validation**: Use established and secure padding schemes, ensuring that padding is properly validated when necessary for the encryption mode. When possible, use authenticated encryption modes like GCM, which eliminate the need for padding and include built-in integrity verification. - **Regularly update cryptographic libraries**: Ensure the cryptographic libraries in use are up-to-date to avoid known vulnerabilities related to padding attacks. -- **Perform periodic security audits**: If using custom cryptography is unavoidable, perform regular security audits (including thorough code reviews) to identify and remediate any flaws in your custom cryptographic implementations. Engage external security experts to provide an unbiased assessment. \ No newline at end of file +- **Perform periodic security audits**: If using custom cryptography is unavoidable, perform regular security audits (including thorough code reviews) to identify and remediate any flaws in your custom cryptographic implementations. Engage external security experts to provide an unbiased assessment. From 0f3b756c370c2ffeec71461ab12b2cb8bc0d4536 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Mar=C3=ADa=20Santos?= <99655739+jmariasantosdekra@users.noreply.github.com> Date: Fri, 10 Jan 2025 11:48:05 +0100 Subject: [PATCH 16/19] Update weaknesses/MASVS-CRYPTO/MASWE-0023.md Co-authored-by: Carlos Holguera --- weaknesses/MASVS-CRYPTO/MASWE-0023.md | 1 + 1 file changed, 1 insertion(+) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0023.md b/weaknesses/MASVS-CRYPTO/MASWE-0023.md index 9f7ca73bed..a894db6d64 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0023.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0023.md @@ -14,6 +14,7 @@ refs: - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf - https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38a.pdf - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile +status: new --- ## Overview From 336a22f30b1be086c11915b2696e3ab267ab3373 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Mar=C3=ADa=20Santos?= <99655739+jmariasantosdekra@users.noreply.github.com> Date: Fri, 10 Jan 2025 13:15:33 +0100 Subject: [PATCH 17/19] Update MASWE-0023.md --- weaknesses/MASVS-CRYPTO/MASWE-0023.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0023.md b/weaknesses/MASVS-CRYPTO/MASWE-0023.md index a894db6d64..6af39a4da8 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0023.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0023.md @@ -14,20 +14,19 @@ refs: - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf - https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38a.pdf - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile +- https://www.usenix.org/legacy/event/woot10/tech/full_papers/Rizzo.pdf status: new --- ## Overview -Outdated or weak padding schemes, such as PKCS1v1.5 or other padding schemes that fail to comply with secure standards, such as NIST SP 800-56B are not recommended for use. These padding schemes include vulnerabilities that may allow attackers to undermine security mechanisms, such as padding oracle attacks. +Outdated or weak padding schemes, such as PKCS1v1.5 or other padding schemes that fail to comply with secure standards, as outlined in [NIST SP 800-131A Rev.2](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf) are not recommended for use. These padding schemes include vulnerabilities that may allow attackers to undermine security mechanisms, such as [padding oracle attacks](https://www.usenix.org/legacy/event/woot10/tech/full_papers/Rizzo.pdf). ## Impact -Weak padding schemes can completely undermine the security of the cryptographic algorithms, exposing sensitive data to attackers, and making systems vulnerable to various attacks. This can lead to: - -- **Data breaches**: Weak padding can lead to unauthorized access to sensitive data, resulting in data breaches. -- **Loss of data integrity**: Padding attacks may aid attackers in manipulating ciphertext, leading to unauthorized data modifications. -- **Compromised confidentiality**: Weak padding may aid attackers in recovering plaintext from encrypted data. +- **Data breaches**: Weak padding can allow unauthorized access to sensitive data, resulting in data breaches. When incorrectly padded ciphertext is processed, the system may produce distinguishable error messages. Attackers can exploit these responses to decrypt sensitive data without needing the encryption key. +- **Loss of data integrity**: Padding attacks can help attackers manipulate ciphertext, leading to unauthorized data modifications. By modifying the ciphertext and observing how the system responds, attackers can alter encrypted data in a way that the system decrypts it without detecting any issues. This allows the system to accept the altered data as valid, compromising its integrity. +- **Compromised confidentiality**: Weak padding can enable attackers to recover plaintext from encrypted data. Vulnerable implementations may leak information about the correctness of padding through error messages, which attackers can use to gradually decrypt sensitive information such as passwords or session tokens, compromising the confidentiality of the data. ## Modes of Introduction From 06ea6787d139da25117e0de597460c56136efd0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Mar=C3=ADa=20Santos?= <99655739+jmariasantosdekra@users.noreply.github.com> Date: Tue, 14 Jan 2025 16:08:50 +0100 Subject: [PATCH 18/19] Update MASWE-0023.md --- weaknesses/MASVS-CRYPTO/MASWE-0023.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0023.md b/weaknesses/MASVS-CRYPTO/MASWE-0023.md index 6af39a4da8..35c1624fc3 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0023.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0023.md @@ -20,7 +20,7 @@ status: new ## Overview -Outdated or weak padding schemes, such as PKCS1v1.5 or other padding schemes that fail to comply with secure standards, as outlined in [NIST SP 800-131A Rev.2](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf) are not recommended for use. These padding schemes include vulnerabilities that may allow attackers to undermine security mechanisms, such as [padding oracle attacks](https://www.usenix.org/legacy/event/woot10/tech/full_papers/Rizzo.pdf). +Outdated or weak padding schemes, such as PKCS1v1.5 or other padding schemes that fail to comply with secure standards, as outlined in [NIST SP 800-131A Rev.2, Section 6 Key Agreement and Key Transport Using RSA](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf) are not recommended for use. These padding schemes include vulnerabilities that may allow attackers to undermine security mechanisms, such as [padding oracle attacks](https://www.usenix.org/legacy/event/woot10/tech/full_papers/Rizzo.pdf). ## Impact From 3251f66b4513f3dd433497e0aad47216673409d2 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Thu, 16 Jan 2025 18:24:37 +0100 Subject: [PATCH 19/19] remove some unneded points --- weaknesses/MASVS-CRYPTO/MASWE-0023.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0023.md b/weaknesses/MASVS-CRYPTO/MASWE-0023.md index 35c1624fc3..feb5cc031e 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0023.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0023.md @@ -24,7 +24,6 @@ Outdated or weak padding schemes, such as PKCS1v1.5 or other padding schemes tha ## Impact -- **Data breaches**: Weak padding can allow unauthorized access to sensitive data, resulting in data breaches. When incorrectly padded ciphertext is processed, the system may produce distinguishable error messages. Attackers can exploit these responses to decrypt sensitive data without needing the encryption key. - **Loss of data integrity**: Padding attacks can help attackers manipulate ciphertext, leading to unauthorized data modifications. By modifying the ciphertext and observing how the system responds, attackers can alter encrypted data in a way that the system decrypts it without detecting any issues. This allows the system to accept the altered data as valid, compromising its integrity. - **Compromised confidentiality**: Weak padding can enable attackers to recover plaintext from encrypted data. Vulnerable implementations may leak information about the correctness of padding through error messages, which attackers can use to gradually decrypt sensitive information such as passwords or session tokens, compromising the confidentiality of the data. @@ -33,11 +32,7 @@ Outdated or weak padding schemes, such as PKCS1v1.5 or other padding schemes tha - **Insecure padding scheme**: Using padding schemes that are vulnerable to attacks, such as PKCS1V1.5 or PKCS#7 when used with CBC mode of operation. - **Custom padding solutions**: Implementing custom or non-standard padding schemes that have not been sufficiently tested or that lack certification. - **Improper padding validation**: Failure to correctly validate and handle padding errors, potentially leaking information to attackers via error messages or timing discrepancies. -- **Outdated cryptographic libraries**: Using libraries or algorithms with known padding vulnerabilities (e.g. Padding Oracle). ## Mitigations -- **Use standard cryptographic libraries and avoid custom cryptography**: Avoid developing custom cryptographic algorithms with custom padding schemes. Always prefer well-established and widely accepted cryptographic libraries such as OpenSSL, BoringSSL, or platform-specific libraries such as Android's Conscrypt and Apple's CryptoKit. These libraries have undergone extensive testing and are regularly updated to address new security threats. - **Implement proper and secure padding validation**: Use established and secure padding schemes, ensuring that padding is properly validated when necessary for the encryption mode. When possible, use authenticated encryption modes like GCM, which eliminate the need for padding and include built-in integrity verification. -- **Regularly update cryptographic libraries**: Ensure the cryptographic libraries in use are up-to-date to avoid known vulnerabilities related to padding attacks. -- **Perform periodic security audits**: If using custom cryptography is unavoidable, perform regular security audits (including thorough code reviews) to identify and remediate any flaws in your custom cryptographic implementations. Engage external security experts to provide an unbiased assessment.