Difference between revisions of "Category:Cryptographic Vulnerability"

From OWASP
Jump to: navigation, search
 
(Examples)
Line 21: Line 21:
 
** Key disclosure  
 
** Key disclosure  
 
*** Keys not encrypted during storage or transmission
 
*** Keys not encrypted during storage or transmission
*** Keys not remove after use  
+
*** Keys not cleaned appropriately after use  
 
*** Keys Hard-coded in the code or stored in configuration files
 
*** Keys Hard-coded in the code or stored in configuration files
 
** Key updates
 
** Key updates

Revision as of 14:45, 15 September 2006

This category is for tagging vulnerabilities that related to cryptographic modules.

Examples

  • Algorithm Problems
    • Insecure Algorithm
      • Use algorithms that are proven flawed or weak (DES, MD5)
      • Use non-standard (home-grown) algorithms
    • Choose the wrong algorithm
      • Use hash function for encryption
      • Use encryption algorithm for hashing
    • Inappropriate use of an algorithm
      • Use insecure encryption modes (DES EBC)
      • Initial vector is not random
    • Implementation errors
      • Use non-standard cryptographic implementations/libraries
  • Key Management Problems
    • Weak keys
      • Too short or not random enough
      • Use human chosen passwords as cryptographic keys
    • Key disclosure
      • Keys not encrypted during storage or transmission
      • Keys not cleaned appropriately after use
      • Keys Hard-coded in the code or stored in configuration files
    • Key updates
      • Allow keys aging
  • Random Number Generator (RNG) Problems
    • Poor random number generators (c: rand(), Java: java.util.Random())
    • Forget to seed the random number generator
    • Use the same seed for the random number generator every time
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.