repositories
/
ssproject1617.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Initial organization stub
[ssproject1617.git]
/
report
/
v7_cryptography.tex
diff --git
a/report/v7_cryptography.tex
b/report/v7_cryptography.tex
index
293dd19
..
b7bef87
100644
(file)
--- a/
report/v7_cryptography.tex
+++ b/
report/v7_cryptography.tex
@@
-1,25
+1,34
@@
% usage of crypt()
% usage of crypt()
-\begin{enumerate}[label={7.\arabic*}]
+\begin{enumerate}[label={
V
7.\arabic*}]
\addtocounter{enumi}{1}
\item
\addtocounter{enumi}{1}
\item
- \
TODO
{}
+ \
pass
{}
Verify that all cryptographic modules fail securely, and errors are handled
in a way that does not enable oracle padding.
Verify that all cryptographic modules fail securely, and errors are handled
in a way that does not enable oracle padding.
+ \begin{result}
+ The only cryptographic operation is the hashing of the password, which can
+ not be vulnerable to a padding attack as it does not use a block cipher.
+ \end{result}
+
\addtocounter{enumi}{3}
\notapplicable{
\item
\addtocounter{enumi}{3}
\notapplicable{
\item
- Verify that all random numbers, random file names, random
GUID
s, and random
+ Verify that all random numbers, random file names, random
\GUID{}
s, and random
strings are generated using the cryptographic module’s approved random
number generator when these random values are intended to be not guessable
by an attacker.
}
\item
strings are generated using the cryptographic module’s approved random
number generator when these random values are intended to be not guessable
by an attacker.
}
\item
- \
TODO
{}
+ \
fail
{}
Verify that cryptographic algorithms used by the application have been
Verify that cryptographic algorithms used by the application have been
- validated against FIPS 140-2 or an equivalent standard.
+ validated against FIPS 140{-}2 or an equivalent standard.
+ \begin{result}
+ The application uses MD5 for password hashing, which is insecure by current
+ standards
+ \end{result}
\notapplicable{
\item
\notapplicable{
\item
@@
-54,12
+63,14
@@
Verify that sensitive passwords or key material maintained in memory is
overwritten with zeros as soon as it no longer required, to mitigate memory
dumping attacks.
Verify that sensitive passwords or key material maintained in memory is
overwritten with zeros as soon as it no longer required, to mitigate memory
dumping attacks.
+ % FIXME(dsprenkels) Passwords should be zero'd?
}
\notapplicable{
\item
Verify that all keys and passwords are replaceable, and are generated or
replaced at installation time.
}
\notapplicable{
\item
Verify that all keys and passwords are replaceable, and are generated or
replaced at installation time.
+ % FIXME(dsprenkels) This *is* relevant (passwords)
}
\notapplicable{
}
\notapplicable{
@@
-67,6
+78,8
@@
Verify that random numbers are created with proper entropy even when the
application is under heavy load, or that the application degrades gracefully
in such circumstance.
Verify that random numbers are created with proper entropy even when the
application is under heavy load, or that the application degrades gracefully
in such circumstance.
+ % FIXME(dsprenkels) This *is* relevant: password generation of the admin
+ % password in the install script uses a Mersenne twister!
}
\end{enumerate}
}
\end{enumerate}