Update Cryptographic Language (e.g. "weak") #3199
Conversation
|
@cpholguera What do you do with external links that return HTTP status 403 or 0, but that can be reached by human browsing? |
|
I am leaving the internal links as they are. It's ok to use the word "weak" as a general term when talking about a category of issues. My reaction and corrections is meant to make it more specific as to what we are talking about when we are referring to cryptographic concepts. A padding scheme can be predictable, the bit-size of an algorithm insufficient, input validation and crypto configuration, inappropriate or improper and so on. |
|
There is something not working with the MASTG-DEMO tests. The moment I started touching them, the matrix broke. So I am leaving them aside. |
Is this about the GitHub action failing? You can add them to https://github.com/OWASP/owasp-mastg/blob/master/.github/workflows/config/url-checker-config.json |
I just fixed the matrix. If you |
cpholguera
left a comment
cpholguera
left a comment
There was a problem hiding this comment.
Just a quick first pass for now, thanks a lot @sydseter!
|
Idea: maybe we could also build a glossary for these and other terms. See: |
Co-authored-by: Carlos Holguera <[email protected]>
Co-authored-by: Carlos Holguera <[email protected]>
…pdate terminology for random APIs
…into pr/sydseter/3199-1
…ing the importance of using Cryptographically Secure Pseudo-Random Number Generators (CSPRNGs) for security-critical values.
…/sydseter/3199-1
5 participants
This PR closes #3200.
This PR replaces imprecise “weak” terminology with more specific language (e.g., “predictable,” “broken,” “risky”), expands cryptographic guidance (e.g., forward-compliance, post-quantum, CBC-MAC pitfalls), and updates several titles, statuses, and references across weaknesses, tests, rules, demos, and documentation.
New terminology:
Insufficient:
A protection or behavior exists but does not meet required strength or standards.
Used for things that vary on a sliding scale like key length, entropy, iteration counts.
“It’s there but not enough.”
Missing:
A required protection or behavior is entirely absent.
Used for things like missing HMAC, salt, certificate validation.
“It’s not there at all.”
Incorrect:
A protection is implemented, but done improperly.
Used for logic flaws, misuse of cryptographic operations, or broken error handling.
“It’s there but it’s wrong.”
Broken:
The cryptographic primitive or mode is fundamentally insecure due to known attacks, regardless of implementation (e.g. disallowed or deprecated by NIST).
Example: SHA-1, ECB mode.
Improper:
A broad term used to cover missing, insufficient, or incorrect behavior.
Acts as a wrapper for multiple failure types.
Risky:
A configuration or usage is not formally disallowed (e.g. by NIST) but has reduced safety margins or known weaknesses under some conditions.
Example: AES-CBC with PKCS#7, RSA PKCS#1 v1.5.
Weak (DO NOT USE):
Ambiguous term discouraged in precise taxonomies.
Avoid using it, as it can mean both broken or risky.
Here's how it applies to this PR:
Uses of Insufficient Key Size in SecKeyCreateRandomKey
Insufficient Key Sizes (tests)
Broken Symmetric Encryption Algorithms
Broken Encryption Modes
Improper Cryptographic Key Generation
Improper Hashing
Here's a summary of how I applied them to the specific components in this PR:
MASWE-0009: Improper Cryptographic Key Generation
MASTG-TEST-0208: Insufficient Key Sizes
MASTG-TEST-0209: Insufficient Key Sizes
MASWE-0010: Improper Cryptographic Key Derivation
MASWE-0019: Risky Cryptography Implementations
MASWE-0020: Improper Encryption
MASTG-TEST-0221: Broken Symmetric Encryption Algorithms
MASTG-TEST-0232: Broken Symmetric Encryption Modes
MASTG-TEST-0210: Broken Symmetric Encryption Algorithms
MASWE-0021: Improper Hashing
MASTG-TEST-0211: Broken Hashing Algorithms
MASWE-0023: Risky Padding
MASWE-0024: Improper Use of Message Authentication Code (MAC)
MASWE-0025: Improper Generation of Cryptographic Signatures
MASWE-0027: Improper Random Number Generation
Other changes include: