Clarifying Cryptographic Language (e.g. "weak") in MASTG-TEST-0210 & MASTG-TEST-0211 #3191
Replies: 1 comment 2 replies
-
|
I agree with you @sydseter and we should update this everywhere we use it: See it in weaknesses: 
Tests: 
and Demos: 
I think we should also include fixes and an explicit explanation in https://github.com/OWASP/owasp-mastg/blob/master/Document/0x04g-Testing-Cryptography.md and ensure all those weaknesses and tests refer back to this chapter. Would you like to give it a try in a new PR? I think "approved" can be a good option that's currently used by NIST for example: https://csrc.nist.gov/glossary/term/Approved_Cryptography |
Beta Was this translation helpful? Give feedback.
-
|
Ok, I'll give it a go. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks so much! |
Beta Was this translation helpful? Give feedback.
-
Hi, first of all, great work porting from MASTG 1.7 to MASTG 2.0. I would like to raise a discussion around the language and tests related to MASVS-CRYPTO.
When defining tests concerning cryptographic hashing and encryption it may be good to have a look at the work that has been done by ASVS since most of it should be applicable within mobile development as well. See:
E.g: MASTG-TEST-0211: https://github.com/OWASP/ASVS/blob/master/5.0/en/0x14-V6-Cryptography.md#v66-hashing-and-hash-based-functions
E.g: MASTG-TEST-0210: https://github.com/OWASP/ASVS/blob/master/5.0/en/0x14-V6-Cryptography.md#v65-encryption-algorithms
I noticed that the language used terms that is hard to define (e.g: weak and hashing operations). A weak hashing algorithm like MD5 or SHA-1 may be perfectly fine depending on what it is used for. I think it may be good, for readability, to be more specific as to what hashing operations we are referring to and also to say something about what we mean with "weak". Perhaps "weak" is not the right word. Perhaps, in stead, we should use "recommended" or "approved"?
I am also thinking that there is a lot that may make an algorithm “weak”. E.g: The way IV, salt, padding, etc are used. Should these be separate tests, or should they be part of MASTG-TEST-0210 and MASTG-TEST-0211?
Only a suggestion. What do you think?
Beta Was this translation helpful? Give feedback.
All reactions