% usage of crypt()
-\begin{enumerate}[label={7.\arabic*}]
+\begin{enumerate}[label={V7.\arabic*}]
\addtocounter{enumi}{1}
\item
}
\item
- \TODO{}
Verify that cryptographic algorithms used by the application have been
validated against FIPS 140-2 or an equivalent standard.
\begin{result}
- The application uses md-5 for password hashing, which should be insecure by
+ The application uses MD5 for password hashing, which should be insecure by
now.
\end{result}
Verify that sensitive passwords or key material maintained in memory is
overwritten with zeros as soon as it no longer required, to mitigate memory
dumping attacks.
+ % FIXME(dsprenkels) Passwords should be zero'd?
}
\notapplicable{
\item
Verify that all keys and passwords are replaceable, and are generated or
replaced at installation time.
+ % FIXME(dsprenkels) This *is* relevant (passwords)
}
\notapplicable{
Verify that random numbers are created with proper entropy even when the
application is under heavy load, or that the application degrades gracefully
in such circumstance.
+ % FIXME(dsprenkels) This *is* relevant: password generation of the admin
+ % password in the install script uses a Mersenne twister!
}
\end{enumerate}