report/v7_cryptography.tex

   1 % usage of crypt()
   2 \begin{enumerate}[label={7.\arabic*}]
   3
   4   \addtocounter{enumi}{1}
   5     \item
   6     \TODO{}
   7     Verify that all cryptographic modules fail securely, and errors are handled
   8     in a way that does not enable oracle padding.
   9
  10   \addtocounter{enumi}{3}
  11   \notapplicable{
  12     \item
  13     Verify that all random numbers, random file names, random GUIDs, and random
  14     strings are generated using the cryptographic module’s approved random
  15     number generator when these random values are intended to be not guessable
  16     by an attacker.
  17   }
  18
  19     \item
  20     \TODO{}
  21     Verify that cryptographic algorithms used by the application have been
  22     validated against FIPS 140-2 or an equivalent standard.
  23
  24   \notapplicable{
  25     \item
  26     Verify that cryptographic modules operate in their approved mode according
  27     to their published security policies.
  28   }
  29
  30   \notapplicable{
  31     \item
  32     Verify that there is an explicit policy for how cryptographic keys are
  33     managed (e.g., generated, distributed, revoked, and expired). Verify that
  34     this key lifecycle is properly enforced.
  35   }
  36
  37   \addtocounter{enumi}{1}
  38   \notapplicable{
  39     \item
  40     Verify that all consumers of cryptographic services do not have direct
  41     access to key material. Isolate cryptographic processes, including master
  42     secrets and consider the use of a virtualized or physical hardware key vault
  43     (HSM).
  44   }
  45
  46   \notapplicable{
  47     \item
  48     \textit{Personally Identifiable Information} should be stored encrypted at
  49     rest and ensure that communication goes via protected channels.
  50   }
  51
  52   \notapplicable{
  53     \item
  54     Verify that sensitive passwords or key material maintained in memory is
  55     overwritten with zeros as soon as it no longer required, to mitigate memory
  56     dumping attacks.
  57   }
  58
  59   \notapplicable{
  60     \item
  61     Verify that all keys and passwords are replaceable, and are generated or
  62     replaced at installation time.
  63   }
  64
  65   \notapplicable{
  66     \item
  67     Verify that random numbers are created with proper entropy even when the
  68     application is under heavy load, or that the application degrades gracefully
  69     in such circumstance.
  70   }
  71
  72 \end{enumerate}