X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv7_cryptography.tex;h=2d83ce2114fc1c78517b85702f20fadc115dc661;hb=06d7ae862f750a89968a0c7c2104b133e801d3a5;hp=293dd195b97452c7a418b9b06c6fc07f06723b3f;hpb=a06f593282947a490cc23d1186eddfdd4774f790;p=ssproject1617.git diff --git a/report/v7_cryptography.tex b/report/v7_cryptography.tex index 293dd19..2d83ce2 100644 --- a/report/v7_cryptography.tex +++ b/report/v7_cryptography.tex @@ -1,11 +1,16 @@ % usage of crypt() -\begin{enumerate}[label={7.\arabic*}] +\begin{enumerate}[label={V7.\arabic*}] \addtocounter{enumi}{1} \item - \TODO{} + \pass{} Verify that all cryptographic modules fail securely, and errors are handled in a way that does not enable oracle padding. + \begin{result} + The only cryptographic operation is the hashing of the password, which can + not be vulnerable to a padding attack as it does not use a block cipher. + \end{result} + \addtocounter{enumi}{3} \notapplicable{ @@ -17,9 +22,12 @@ } \item - \TODO{} Verify that cryptographic algorithms used by the application have been validated against FIPS 140-2 or an equivalent standard. + \begin{result} + The application uses MD5 for password hashing, which should be insecure by + now. + \end{result} \notapplicable{ \item @@ -54,12 +62,14 @@ Verify that sensitive passwords or key material maintained in memory is overwritten with zeros as soon as it no longer required, to mitigate memory dumping attacks. + % FIXME(dsprenkels) Passwords should be zero'd? } \notapplicable{ \item Verify that all keys and passwords are replaceable, and are generated or replaced at installation time. + % FIXME(dsprenkels) This *is* relevant (passwords) } \notapplicable{ @@ -67,6 +77,8 @@ Verify that random numbers are created with proper entropy even when the application is under heavy load, or that the application degrades gracefully in such circumstance. + % FIXME(dsprenkels) This *is* relevant: password generation of the admin + % password in the install script uses a Mersenne twister! } \end{enumerate}