X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv7_cryptography.tex;h=1a015f2c59dca3c7264a2aec6b59a0c126d7c27e;hb=37c1ce0fc9ce34e0629c0b4384edfbc1297f3e79;hp=952d832be69641b7477f8c42c61ab5a3bbb9604a;hpb=b4eaf4d5efb8cea0c57c5d14be25ff38c1deeb2d;p=ssproject1617.git diff --git a/report/v7_cryptography.tex b/report/v7_cryptography.tex index 952d832..1a015f2 100644 --- a/report/v7_cryptography.tex +++ b/report/v7_cryptography.tex @@ -13,38 +13,56 @@ \addtocounter{enumi}{3} - \notapplicable{ \item - Verify that all random numbers, random file names, random GUIDs, and random + \fail{} + Verify that all random numbers, random file names, random \GUID{}s, and random strings are generated using the cryptographic module’s approved random number generator when these random values are intended to be not guessable by an attacker. - } + \begin{result} + The application uses \PHP{}'s \code{mt\_rand()} function to generate the + initial password. This function uses a Mersenne Twister and does not + generate cryptographically secure values. + \end{result} + \item - \TODO{} + \fail{} Verify that cryptographic algorithms used by the application have been - validated against FIPS 140-2 or an equivalent standard. + validated against FIPS 140{-}2 or an equivalent standard. \begin{result} - The application uses md-5 for password hashing, which should be insecure by - now. + \begin{itemize}[leftmargin=*] + \item + The application uses MD5 for password hashing, which is insecure by current + standards of FIPS 140{-}2. + \item + The application uses \code{crypt()} for passwords, and does not supply a + salt in these cases. This means \PHP{} will use DES{-}based algorithm, + which is insecure by the current standard of FIPS 140{-}2. + \end{itemize} \end{result} - \notapplicable{ + \notapplicable{% \item Verify that cryptographic modules operate in their approved mode according to their published security policies. } - \notapplicable{ \item + \fail{} Verify that there is an explicit policy for how cryptographic keys are managed (e.g., generated, distributed, revoked, and expired). Verify that this key lifecycle is properly enforced. - } + \begin{result} + There is no such policy. The unique application key that is used to sign + passwords in generated by \code{mt\_rand()}, which is insuitable for + generating cryptographically secure values. The lifecycle of this key is + unlimited. + \end{result} + \addtocounter{enumi}{1} - \notapplicable{ + \notapplicable{% \item Verify that all consumers of cryptographic services do not have direct access to key material. Isolate cryptographic processes, including master @@ -52,26 +70,36 @@ (HSM). } - \notapplicable{ \item + \fail{} \textit{Personally Identifiable Information} should be stored encrypted at rest and ensure that communication goes via protected channels. - } + \begin{result} + The information stored consists of an email address, the user's real + name and a biography. All of these are stored in the database unencrypted. + \end{result} - \notapplicable{ \item + \fail{} Verify that sensitive passwords or key material maintained in memory is overwritten with zeros as soon as it no longer required, to mitigate memory dumping attacks. - } + \begin{result} + This does not happen anywhere, any passwords submitted to the application + will stay in memory for an undefined amount of time. + \end{result} - \notapplicable{ \item + \pass{} Verify that all keys and passwords are replaceable, and are generated or replaced at installation time. - } + \begin{result} + All users can replace their password in their profile. Note that there is + no `confirmation field' which makes it easy to change an password to an + unintended value. + \end{result} - \notapplicable{ + \notapplicable{% \item Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully