Difference between revisions of "Category:Cryptographic Vulnerability"

Latest revision as of 16:15, 13 September 2010

This category is for tagging vulnerabilities that related to cryptographic modules.

Algorithm Problems
- Insecure Algorithm
  - Use algorithms that are proven flawed or weak (DES, 3DES, MD5, Sha1, AES, Blowfish, Diffie Hellman)
  - Use non-standard (home-grown) algorithms
- Choose the wrong algorithm
  - Use hash function for encryption
  - Use encryption algorithm for hashing
- Inappropriate use of an algorithm
  - Use insecure encryption modes (DES EBC)
  - Initial vector is not random
- Implementation errors
  - Use non-standard cryptographic implementations/libraries
Key Management Problems
- Weak keys
  - Too short or not random enough
  - Use human chosen passwords as cryptographic keys
- Key disclosure
  - Keys not encrypted during storage or transmission
  - Keys not cleaned appropriately after use
  - Keys Hard-coded in the code or stored in configuration files
- Key updates
  - Allow keys aging
Random Number Generator (RNG) Problems
- Poor random number generators (c: rand(), Java: java.util.Random())
- Forget to seed the random number generator
- Use the same seed for the random number generator every time
- Sniffing

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.

The following 9 pages are in this category, out of 9 total.

@@ Line 5: / Line 5: @@
 * Algorithm Problems
 ** Insecure Algorithm
-*** Use algorithms that are proven flawed or weak (DES, MD5)
+*** Use algorithms that are proven flawed or weak (DES, 3DES, MD5, Sha1, AES, Blowfish, Diffie Hellman)
 *** Use non-standard (home-grown) algorithms
 ** Choose the wrong algorithm
@@ Line 28: / Line 28: @@
 ** Poor random number generators (c: rand(), Java: java.util.Random())
 ** Forget to seed the random number generator
 ** Use the same seed for the random number generator every time
+** Sniffing
 [[Category:Vulnerability]]
 {{Template:Stub}}