% usage of crypt()
-\begin{enumerate}[label={7.\arabic*}]
+\begin{enumerate}[label={V7.\arabic*}]
\addtocounter{enumi}{1}
\item
\addtocounter{enumi}{3}
\notapplicable{
\item
- Verify that all random numbers, random file names, random GUIDs, and random
+ Verify that all random numbers, random file names, random \GUID{}s, and random
strings are generated using the cryptographic module’s approved random
number generator when these random values are intended to be not guessable
by an attacker.
}
\item
- \TODO{}
+ \fail{}
Verify that cryptographic algorithms used by the application have been
- validated against FIPS 140-2 or an equivalent standard.
+ validated against FIPS 140{-}2 or an equivalent standard.
\begin{result}
- The application uses md-5 for password hashing, which should be insecure by
- now.
+ The application uses MD5 for password hashing, which is insecure by current
+ standards
\end{result}
\notapplicable{
Verify that sensitive passwords or key material maintained in memory is
overwritten with zeros as soon as it no longer required, to mitigate memory
dumping attacks.
+ % FIXME(dsprenkels) Passwords should be zero'd?
}
\notapplicable{
\item
Verify that all keys and passwords are replaceable, and are generated or
replaced at installation time.
+ % FIXME(dsprenkels) This *is* relevant (passwords)
}
\notapplicable{
Verify that random numbers are created with proper entropy even when the
application is under heavy load, or that the application degrades gracefully
in such circumstance.
+ % FIXME(dsprenkels) This *is* relevant: password generation of the admin
+ % password in the install script uses a Mersenne twister!
}
\end{enumerate}
repositories / ssproject1617.git / blobdiff