This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.

To view the new OWASP Foundation website, please visit https://owasp.org

# Difference between revisions of "Testing for Weak Encryption (OTG-CRYPST-004)"

(→Basic Security Checklist) (Tag: Visual edit) |
|||

Line 9: | Line 9: | ||

=== Basic Security Checklist === | === Basic Security Checklist === | ||

− | * The IV (Initialization vector) must be random and unpredictable. Refer to ''[http://csrc.nist.gov/cryptval/140-2.htm FIPS 140-2, Security Requirements for Cryptographic Modules]'', section 4.9.1. random number generator tests. For example, in Java, "java.util.Random" is considered a weak random number generator. "java.security.SecureRandom" should be used instead of "java.util.Random". | + | * When the uses of AES128 and AES256, The IV (Initialization vector) must be random and unpredictable. Refer to ''[http://csrc.nist.gov/cryptval/140-2.htm FIPS 140-2, Security Requirements for Cryptographic Modules]'', section 4.9.1. random number generator tests. For example, in Java, "java.util.Random" is considered a weak random number generator. "java.security.SecureRandom" should be used instead of "java.util.Random". |

* When uses of RSA in encryption, Optimal Asymmetric Encryption Padding (OAEP) mode is recommended. | * When uses of RSA in encryption, Optimal Asymmetric Encryption Padding (OAEP) mode is recommended. | ||

* When uses of RSA in signature, PSS padding is recommended. | * When uses of RSA in signature, PSS padding is recommended. | ||

− | * Weak hash/encryption algorithms should not be used such MD5, RC4, SHA1. | + | * Weak hash/encryption algorithms should not be used such MD5, RC4, DES, Blowfish, SHA1. 1024-bit RSA or DSA, 160-bit ECDSA (elliptic curves), 80/112-bit 2TDEA (two key triple DES) |

− | * | + | * Minimum Key length requirement: |

Key exchange: Diffie–Hellman key exchange with minimum 2048 bits | Key exchange: Diffie–Hellman key exchange with minimum 2048 bits | ||

Message Integrity: HMAC-SHA2 | Message Integrity: HMAC-SHA2 | ||

Line 22: | Line 22: | ||

ECDH、ECDSA: 256 bits | ECDH、ECDSA: 256 bits | ||

* Uses of SSH, CBC mode should not be used. | * Uses of SSH, CBC mode should not be used. | ||

+ | * When symmetric encryption algorithm is used, ECB (Electronic Code Book) mode should not be used. | ||

+ | * When PBKDF2 is used to hash password, the parameter of iteration is recommended to be over 10000. [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5 NIST] also suggests at least 10,000 iterations of the hash function. In addition, MD5 hash function is forbidden to be used with PBKDF2 such as PBKDF2WithHmacMD5. | ||

+ | |||

+ | === Source Code Review === | ||

+ | * Search for the following keyword to check if any weak encryption algorithm is used. | ||

== Tools == | == Tools == | ||

Line 31: | Line 36: | ||

* OAEP http://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding | * OAEP http://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding | ||

* [[Cryptographic Storage Cheat Sheet]] | * [[Cryptographic Storage Cheat Sheet]] | ||

+ | * [[Password Storage Cheat Sheet]] | ||

+ | * https://www.securecoding.cert.org/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms | ||

+ | * [[Insecure Randomness]] | ||

+ | * [[Insufficient Entropy]] | ||

+ | * [[Insufficient Session-ID Length]] | ||

+ | * [[Use of hard-coded cryptographic key]] | ||

+ | * [[Using a broken or risky cryptographic algorithm]] | ||

+ | * [[Testing for SSL-TLS (OWASP-CM-001)]] |

## Revision as of 06:22, 8 May 2017

## Summary

Incorrect uses of encryption algorithm may result in sensitive data exposure, key leakage, broken authentication, insecure session and spoofing attack. There are some encryption or hash algorithm is known to be weak and not suggested to be used anymore such MD5 and RC4.

In addition to the right choices of secure encryption or hash algorithm, the right uses of parameters also mater the security level. For example, ECB (Electronic Code Book) mode is not suggested to be used in asymmetric encryption.

The testing guide is trying to provide a guideline how to identify the weak encryption and hash.

## How to Test

### Basic Security Checklist

- When the uses of AES128 and AES256, The IV (Initialization vector) must be random and unpredictable. Refer to
*FIPS 140-2, Security Requirements for Cryptographic Modules*, section 4.9.1. random number generator tests. For example, in Java, "java.util.Random" is considered a weak random number generator. "java.security.SecureRandom" should be used instead of "java.util.Random". - When uses of RSA in encryption, Optimal Asymmetric Encryption Padding (OAEP) mode is recommended.
- When uses of RSA in signature, PSS padding is recommended.
- Weak hash/encryption algorithms should not be used such MD5, RC4, DES, Blowfish, SHA1. 1024-bit RSA or DSA, 160-bit ECDSA (elliptic curves), 80/112-bit 2TDEA (two key triple DES)
- Minimum Key length requirement:

Key exchange: Diffie–Hellman key exchange with minimum 2048 bits Message Integrity: HMAC-SHA2 Message Hash: SHA2 256 bits Assymetric encryption: RSA 2048 bits Symmetric-key algorithm: AES 128 bits Password Hashing: PBKDF2, Scrypt, Bcrypt ECDH、ECDSA: 256 bits

- Uses of SSH, CBC mode should not be used.
- When symmetric encryption algorithm is used, ECB (Electronic Code Book) mode should not be used.
- When PBKDF2 is used to hash password, the parameter of iteration is recommended to be over 10000. NIST also suggests at least 10,000 iterations of the hash function. In addition, MD5 hash function is forbidden to be used with PBKDF2 such as PBKDF2WithHmacMD5.

### Source Code Review

- Search for the following keyword to check if any weak encryption algorithm is used.

## Tools

## References

- NIST FIPS http://csrc.nist.gov/publications/PubsFIPS.html
- IV https://en.wikipedia.org/wiki/Initialization_vector
- https://www.securecoding.cert.org/confluence/display/java/MSC02-J.+Generate+strong+random+numbers
- OAEP http://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding
- Cryptographic Storage Cheat Sheet
- Password Storage Cheat Sheet
- https://www.securecoding.cert.org/confluence/display/java/MSC61-J.+Do+not+use+insecure+or+weak+cryptographic+algorithms
- Insecure Randomness
- Insufficient Entropy
- Insufficient Session-ID Length
- Use of hard-coded cryptographic key
- Using a broken or risky cryptographic algorithm
- Testing for SSL-TLS (OWASP-CM-001)