repositories
/
ssproject1617.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Minor fixes (mainly textual) for v{2,3,4,5,7,8,11}
[ssproject1617.git]
/
report
/
v7_cryptography.tex
diff --git
a/report/v7_cryptography.tex
b/report/v7_cryptography.tex
index
b2a3876
..
2d83ce2
100644
(file)
--- a/
report/v7_cryptography.tex
+++ b/
report/v7_cryptography.tex
@@
-1,10
+1,16
@@
-\begin{enumerate}[label={7.\arabic*}]
+% usage of crypt()
+\begin{enumerate}[label={V7.\arabic*}]
\addtocounter{enumi}{1}
\item
\addtocounter{enumi}{1}
\item
- \
TODO
{}
+ \
pass
{}
Verify that all cryptographic modules fail securely, and errors are handled
in a way that does not enable oracle padding.
Verify that all cryptographic modules fail securely, and errors are handled
in a way that does not enable oracle padding.
+ \begin{result}
+ The only cryptographic operation is the hashing of the password, which can
+ not be vulnerable to a padding attack as it does not use a block cipher.
+ \end{result}
+
\addtocounter{enumi}{3}
\notapplicable{
\addtocounter{enumi}{3}
\notapplicable{
@@
-16,9
+22,12
@@
}
\item
}
\item
- \TODO{}
Verify that cryptographic algorithms used by the application have been
validated against FIPS 140-2 or an equivalent standard.
Verify that cryptographic algorithms used by the application have been
validated against FIPS 140-2 or an equivalent standard.
+ \begin{result}
+ The application uses MD5 for password hashing, which should be insecure by
+ now.
+ \end{result}
\notapplicable{
\item
\notapplicable{
\item
@@
-53,12
+62,14
@@
Verify that sensitive passwords or key material maintained in memory is
overwritten with zeros as soon as it no longer required, to mitigate memory
dumping attacks.
Verify that sensitive passwords or key material maintained in memory is
overwritten with zeros as soon as it no longer required, to mitigate memory
dumping attacks.
+ % FIXME(dsprenkels) Passwords should be zero'd?
}
\notapplicable{
\item
Verify that all keys and passwords are replaceable, and are generated or
replaced at installation time.
}
\notapplicable{
\item
Verify that all keys and passwords are replaceable, and are generated or
replaced at installation time.
+ % FIXME(dsprenkels) This *is* relevant (passwords)
}
\notapplicable{
}
\notapplicable{
@@
-66,6
+77,8
@@
Verify that random numbers are created with proper entropy even when the
application is under heavy load, or that the application degrades gracefully
in such circumstance.
Verify that random numbers are created with proper entropy even when the
application is under heavy load, or that the application degrades gracefully
in such circumstance.
+ % FIXME(dsprenkels) This *is* relevant: password generation of the admin
+ % password in the install script uses a Mersenne twister!
}
\end{enumerate}
}
\end{enumerate}