Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Cryptographic Language (e.g. "weak") #3199

Open
wants to merge 61 commits into
base: master
Choose a base branch
from
Open

Update Cryptographic Language (e.g. "weak") #3199

wants to merge 61 commits into from

Conversation

sydseter
Copy link
Collaborator

@sydseter sydseter commented Mar 7, 2025
edited
Loading

This PR contains:

  • Addition concerning Symmetric encryption
  • Additional advice on forward compliance with NIST
  • Additional recommendation on the use of EdDSA with Edwards448
  • Post-Quantum recommendations
  • Additional recommendations concerning the use of a key-derivation key.
  • CSPRNG alignment with ASVS.
  • Additional recommendation when using CBC with MAC.
  • Attack related to CBC-MAC
  • Removing the use of the word “weak”. Instead focusing on recommendations and advice.
  • Adding appropriate description, impact, modes of introduction and mitigations to MASWE-0010, MASWE-0021, MASWE-0024 and MASWE-0025.

This PR closes #3200.

@cpholguera cpholguera changed the title Cryptography Update Cryptographic Language (e.g. "weak") Mar 7, 2025
@sydseter
Copy link
Collaborator Author

@cpholguera What do you do with external links that return HTTP status 403 or 0, but that can be reached by human browsing?

@sydseter
Copy link
Collaborator Author

I am leaving the internal links as they are. It's ok to use the word "weak" as a general term when talking about a category of issues. My reaction and corrections is meant to make it more specific as to what we are talking about when we are referring to cryptographic concepts. A padding scheme can be predictable, the bit-size of an algorithm insufficient, input validation and crypto configuration, inappropriate or improper and so on.
I think it is better to rename the links as more MASWE gets defined. As I see it now, it isn't very problematic to leave it as it is.

@sydseter
Copy link
Collaborator Author

sydseter commented Mar 11, 2025
edited
Loading

There is something not working with the MASTG-DEMO tests. The moment I started touching them, the matrix broke. So I am leaving them aside.

@cpholguera
Copy link
Collaborator

@cpholguera What do you do with external links that return HTTP status 403 or 0, but that can be reached by human browsing?

Is this about the GitHub action failing? You can add them to https://github.com/OWASP/owasp-mastg/blob/master/.github/workflows/config/url-checker-config.json

@cpholguera
Copy link
Collaborator

There is something not working with the MASTG-DEMO tests. The moment I started touching them, the matrix broke. So I am leaving them aside.

I just fixed the matrix. If you git pull origin master it should be fine again. Thanks for letting me know!

cpholguera
cpholguera requested changes Mar 11, 2025
View reviewed changes
Copy link
Collaborator

@cpholguera cpholguera left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a quick first pass for now, thanks a lot @sydseter!

@cpholguera
Copy link
Collaborator

Idea: maybe we could also build a glossary for these and other terms.

See:

sydseter added 19 commits March 12, 2025 01:52
@sydseter
Specify the uniquness requirement as defined by NIST
0a77745
@sydseter
Update with chapter number
b3d1875
@sydseter
Add recommendations for symmetric encryption and methods for signatur…
5cbf042 
…e generation
@sydseter
Update recommendation in regards to where to look for future advice o…
1819fb9 
…n cryptography
@sydseter
Update advice regarding post-quantum
a0679c1
@sydseter
Add
c01ad28
@sydseter
Update recommendation according to what is recommended for key genera…
370316f 
…tion functions.
@sydseter
Add the possibility of CCM Mode
0fde774
@sydseter
Correct spelling error
3cd8157
@sydseter
correct grammer
35f2bdc
@sydseter
Move recommendation onto a separate line.
21b5548
@sydseter
Correct spelling error
8c8ee08
@sydseter
Update reference
e142294
@sydseter
Update references
92cdb6c
@sydseter
Correct spelling
4ac0e65
@sydseter
correct spelling error
edae473
@sydseter
correct spelling error
6995427
@sydseter
Update references
b8cd799
@sydseter
Remove whitespace
0f7ec63
sydseter and others added 19 commits March 12, 2025 01:53
@sydseter
Use risky or broken.
5492f30
@sydseter @cpholguera
Update weaknesses/MASVS-CRYPTO/MASWE-0019.md
91d839a 
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
@sydseter @cpholguera
Update weaknesses/MASVS-CRYPTO/MASWE-0020.md
05590a9 
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
@sydseter
replace weak with deprecated
59e271b
@sydseter @cpholguera
Update weaknesses/MASVS-CRYPTO/MASWE-0024.md
8c7a5b7 
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
@sydseter
Minor corrections to improve language.
31dae7f
@sydseter
Update MASWE-0024.md
910b0e1
@sydseter
Update MASWE-0024.md
83db34d
@sydseter
Update MASWE-0024.md
bc6b470
@sydseter @cpholguera
Apply suggestions from code review
6a29aae 
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
@sydseter @cpholguera
Update weaknesses/MASVS-CRYPTO/MASWE-0025.md
749c3a9 
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
@sydseter @cpholguera
Apply suggestions from code review
5a523e6 
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
@sydseter
Update MASWE-0025.md
e87add9
@sydseter
correct spelling
4985c62
@sydseter @cpholguera
Update Document/0x04g-Testing-Cryptography.md
589aef4 
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
@sydseter @cpholguera
Update Document/0x04g-Testing-Cryptography.md
6a3d02b 
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
@sydseter @cpholguera
Update Document/0x04g-Testing-Cryptography.md
92c7f3b 
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
@sydseter @cpholguera
Update Document/0x04g-Testing-Cryptography.md
07c2f6c 
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
@sydseter
Align the DEMOs with the wording used elsewhere.
ce405a5
@sydseter sydseter requested a review from cpholguera March 12, 2025 02:45
@sydseter
Copy link
Collaborator Author

Idea: maybe we could also build a glossary for these and other terms.

See:

Done.

@sydseter
Copy link
Collaborator Author

There is something not working with the MASTG-DEMO tests. The moment I started touching them, the matrix broke. So I am leaving them aside.

I just fixed the matrix. If you git pull origin master it should be fine again. Thanks for letting me know!

Updated MASTG-DEMO tests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpholguera cpholguera Awaiting requested review from cpholguera

Requested changes must be addressed to merge this pull request.

Assignees

@sydseter sydseter

Labels
MASVS-CRYPTO
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Clarifying Cryptographic Language (e.g. "weak") in MASTG-TEST-0210 & MASTG-TEST-0211
2 participants
@sydseter @cpholguera