Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MASWE-0009] Weak Cryptographic Key Generation #2573

Closed
4 tasks
cpholguera opened this issue Mar 1, 2024 · 1 comment · Fixed by #2849
Closed
4 tasks

[MASWE-0009] Weak Cryptographic Key Generation #2573

cpholguera opened this issue Mar 1, 2024 · 1 comment · Fixed by #2849
Assignees
@sk3l10x1ng
Labels
MASTG Refactor MASVS-CRYPTO
Milestone
MASWE-CRYPTO

Comments

@cpholguera
Copy link
Collaborator

cpholguera commented Mar 1, 2024
edited

Description

Create a new risk for "Weak Cryptographic Key Generation (MASVS-CRYPTO-2)" using the following information:

e.g. 1024-bit RSA keys, 128-bit AES keys*, 160-bit ECDSA keys, 80-bit symmetric keys

Note about 128-bit AES keys: See "Symmetric algorithm key lengths" in https://en.wikipedia.org/wiki/Key_size

The Advanced Encryption Standard published in 2001 uses key sizes of 128, 192 or 256 bits. Many observers consider 128 bits sufficient for the foreseeable future for symmetric algorithms of AES's quality until quantum computers become available. However, as of 2015, the U.S. National Security Agency has issued guidance that it plans to switch to quantum computing resistant algorithms and now requires 256-bit AES keys for data classified up to Top Secret.

Create "risks/MASVS-CRYPTO/2-***-****/weak-crypto-key-generation/risk.md" including the following content:

---
title: Weak Cryptographic Key Generation
alias: weak-crypto-key-generation
platform: [android, ios]
profiles: [L1, L2]
mappings:
  masvs-v1: [MSTG-CRYPTO-2]
  masvs-v2: [MASVS-CRYPTO-2]
  mastg-v1: [MASTG-TEST-0061, MASTG-TEST-0014]

---

## Overview

## Impact

## Modes of Introduction

## Mitigations

To complete the sections follow the guidelines from Writing MASTG Risks & Tests

Use at least the following references:

When creating the corresponding tests, use the following areas to guide you:

  • insufficient Key Length

MASTG v1 Refactoring:

If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.

Acceptance Criteria

  • The risk has been created in the correct directory (risks/MASVS-CRYPTO/2-***-****/weak-crypto-key-generation/risk.md)
  • The risk content follows the guidelines
  • At least one GitHub Issue has been created for the corresponding tests (derived from "Modes of Introduction")
  • The risk indicates the related MASTG v1 tests in its metadata.
@sk3l10x1ng
Copy link
Collaborator

please assign to me , i will work on it .

@sk3l10x1ng sk3l10x1ng mentioned this issue Mar 1, 2024
Closed
4 tasks
This was referenced May 21, 2024
Closed
Closed
@cpholguera cpholguera changed the title New Risk - Weak Cryptographic Key Generation [weak-crypto-key-generation] [MASWE-0009] Weak Cryptographic Key Generation Jul 8, 2024
@sk3l10x1ng sk3l10x1ng mentioned this issue Jul 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sk3l10x1ng sk3l10x1ng

Labels
MASTG Refactor MASVS-CRYPTO
Projects
None yet
Milestone
MASWE-CRYPTO
2 participants
@cpholguera @sk3l10x1ng