Difference between revisions of "Category:Cryptographic Vulnerability"

From OWASP
Jump to: navigation, search
(Examples)
 
Line 5: Line 5:
 
* Algorithm Problems
 
* Algorithm Problems
 
** Insecure Algorithm
 
** Insecure Algorithm
*** Use algorithms that are proven flawed or weak (DES, MD5)
+
*** Use algorithms that are proven flawed or weak (DES, 3DES, MD5, Sha1, AES, Blowfish, Diffie Hellman)
 
*** Use non-standard (home-grown) algorithms
 
*** Use non-standard (home-grown) algorithms
 
** Choose the wrong algorithm
 
** Choose the wrong algorithm
Line 28: Line 28:
 
** Poor random number generators (c: rand(), Java: java.util.Random())
 
** Poor random number generators (c: rand(), Java: java.util.Random())
 
** Forget to seed the random number generator
 
** Forget to seed the random number generator
** Use the same seed for the random number generator every time  
+
** Use the same seed for the random number generator every time
 +
** Sniffing
  
 
[[Category:Vulnerability]]
 
[[Category:Vulnerability]]
  
 
{{Template:Stub}}
 
{{Template:Stub}}

Latest revision as of 11:15, 13 September 2010

This category is for tagging vulnerabilities that related to cryptographic modules.

Examples

  • Algorithm Problems
    • Insecure Algorithm
      • Use algorithms that are proven flawed or weak (DES, 3DES, MD5, Sha1, AES, Blowfish, Diffie Hellman)
      • Use non-standard (home-grown) algorithms
    • Choose the wrong algorithm
      • Use hash function for encryption
      • Use encryption algorithm for hashing
    • Inappropriate use of an algorithm
      • Use insecure encryption modes (DES EBC)
      • Initial vector is not random
    • Implementation errors
      • Use non-standard cryptographic implementations/libraries
  • Key Management Problems
    • Weak keys
      • Too short or not random enough
      • Use human chosen passwords as cryptographic keys
    • Key disclosure
      • Keys not encrypted during storage or transmission
      • Keys not cleaned appropriately after use
      • Keys Hard-coded in the code or stored in configuration files
    • Key updates
      • Allow keys aging
  • Random Number Generator (RNG) Problems
    • Poor random number generators (c: rand(), Java: java.util.Random())
    • Forget to seed the random number generator
    • Use the same seed for the random number generator every time
    • Sniffing
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.