X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;f=report%2Fv7_cryptography.tex;h=b7bef87f76af6b3624bb218705f13bd2f43cbf5f;hb=f907dd355223b6c59eb774880b391969fd7543b8;hp=b2a387683dbe3915cda961655536afe7ea77bd53;hpb=2ef9a68b3bb4325db2bfea2eb729faa03a776366;p=ssproject1617.git

diff --git a/report/v7_cryptography.tex b/report/v7_cryptography.tex
index b2a3876..b7bef87 100644
--- a/report/v7_cryptography.tex
+++ b/report/v7_cryptography.tex
@@ -1,24 +1,34 @@
-\begin{enumerate}[label={7.\arabic*}]
+% usage of crypt()
+\begin{enumerate}[label={V7.\arabic*}]
 
   \addtocounter{enumi}{1}
     \item
-    \TODO{}
+    \pass{}
     Verify that all cryptographic modules fail securely, and errors are handled
     in a way that does not enable oracle padding.
+    \begin{result}
+    The only cryptographic operation is the hashing of the password, which can
+      not be vulnerable to a padding attack as it does not use a block cipher.
+    \end{result}
+
 
   \addtocounter{enumi}{3}
   \notapplicable{
     \item
-    Verify that all random numbers, random file names, random GUIDs, and random
+    Verify that all random numbers, random file names, random \GUID{}s, and random
     strings are generated using the cryptographic module’s approved random
     number generator when these random values are intended to be not guessable
     by an attacker.
   }
 
     \item
-    \TODO{}
+    \fail{}
     Verify that cryptographic algorithms used by the application have been
-    validated against FIPS 140-2 or an equivalent standard.
+    validated against FIPS 140{-}2 or an equivalent standard.
+    \begin{result}
+    The application uses MD5 for password hashing, which is insecure by current
+    standards
+    \end{result}
 
   \notapplicable{
     \item
@@ -53,12 +63,14 @@
     Verify that sensitive passwords or key material maintained in memory is
     overwritten with zeros as soon as it no longer required, to mitigate memory
     dumping attacks.
+    % FIXME(dsprenkels) Passwords should be zero'd?
   }
 
   \notapplicable{
     \item
     Verify that all keys and passwords are replaceable, and are generated or
     replaced at installation time.
+    % FIXME(dsprenkels) This *is* relevant (passwords)
   }
 
   \notapplicable{
@@ -66,6 +78,8 @@
     Verify that random numbers are created with proper entropy even when the
     application is under heavy load, or that the application degrades gracefully
     in such circumstance.
+    % FIXME(dsprenkels) This *is* relevant: password generation of the admin
+    %                   password in the install script uses a Mersenne twister!
   }
 
 \end{enumerate}