Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MASWE-0023] Weak Padding #2922

Open
wants to merge 17 commits into
base: master
Choose a base branch
from
Open

[MASWE-0023] Weak Padding #2922

wants to merge 17 commits into from

Conversation

jmariasantosdekra
Copy link
Collaborator

This PR closes #2587.

jmariasantosdekra and others added 17 commits August 5, 2024 11:32
@jmariasantosdekra
Added MASWE-0019.md
a4d6067
@jmariasantosdekra
Removed blank spaces from MASWE-0019.md
6d2ee8e
@jmariasantosdekra
Added newline at the end of MASWE-0019.md
d09e475
@jmariasantosdekra @cpholguera
Update weaknesses/MASVS-CRYPTO/MASWE-0019.md
611a6df 
Co-authored-by: Carlos Holguera <[email protected]>
@jmariasantosdekra @cpholguera
Update weaknesses/MASVS-CRYPTO/MASWE-0019.md
45ad705 
Co-authored-by: Carlos Holguera <[email protected]>
@jmariasantosdekra @cpholguera
Update weaknesses/MASVS-CRYPTO/MASWE-0019.md
531a37a 
Co-authored-by: Carlos Holguera <[email protected]>
@jmariasantosdekra @cpholguera
Update weaknesses/MASVS-CRYPTO/MASWE-0019.md
49dadc5 
Co-authored-by: Carlos Holguera <[email protected]>
@jmariasantosdekra @cpholguera
Update weaknesses/MASVS-CRYPTO/MASWE-0019.md
f7fe868 
Co-authored-by: Carlos Holguera <[email protected]>
@jmariasantosdekra @cpholguera
Update weaknesses/MASVS-CRYPTO/MASWE-0019.md
ed95b33 
Co-authored-by: Carlos Holguera <[email protected]>
@jmariasantosdekra @cpholguera
Update weaknesses/MASVS-CRYPTO/MASWE-0019.md
ff7dff2 
Co-authored-by: Carlos Holguera <[email protected]>
@jmariasantosdekra
Update MASWE-0019.md
9b7a164
@cpholguera
Update weaknesses/MASVS-CRYPTO/MASWE-0019.md
722d802
@jmariasantosdekra
Merge branch 'OWASP:master' into master
903993b
@jmariasantosdekra
Merge branch 'OWASP:master' into master
b660943
@jmariasantosdekra
Added MASWE-0023.md content
61a1fb5
@jmariasantosdekra
Removed newlines and blank spaces
8adaaea
@jmariasantosdekra
Added final blankspace
74d6df0
cpholguera
cpholguera requested changes Oct 28, 2024
View reviewed changes
Copy link
Collaborator

@cpholguera cpholguera left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First quick round of review. Thanks @jmariasantosdekra!

weaknesses/MASVS-CRYPTO/MASWE-0023.md
- NoPadding
- PKCS1-v1_5
status: draft

---
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
---
status: new
---

weaknesses/MASVS-CRYPTO/MASWE-0023.md
---

## Overview

Outdated or weak padding schemes, such as PKCS1v1.5 or other padding schemes that fail to comply with secure standards, such as NIST SP 800-56B are not recommended for use. These padding schemes include vulnerabilities that may allow attackers to undermine security mechanisms, such as padding oracle attacks.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is NIST SP 800-56B the right one? Please double check and add an inline link.

Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography

This Recommendation specifies key-establishment schemes using integer factorization cryptography (in particular, RSA). Both key-agreement and key transport schemes are specified for pairs of entities, and methods for key confirmation are included to provide assurance that both parties share the same keying material. In addition, the security properties associated with each scheme are provided.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also please add an inline link for "padding oracle attacks"

weaknesses/MASVS-CRYPTO/MASWE-0023.md
Comment on lines +25 to +26
Weak padding schemes can completely undermine the security of the cryptographic algorithms, exposing sensitive data to attackers, and making systems vulnerable to various attacks. This can lead to:

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't require intros here.

Suggested change
Weak padding schemes can completely undermine the security of the cryptographic algorithms, exposing sensitive data to attackers, and making systems vulnerable to various attacks. This can lead to:

weaknesses/MASVS-CRYPTO/MASWE-0023.md
Comment on lines +27 to +29
- **Data breaches**: Weak padding can lead to unauthorized access to sensitive data, resulting in data breaches.
- **Loss of data integrity**: Padding attacks may aid attackers in manipulating ciphertext, leading to unauthorized data modifications.
- **Compromised confidentiality**: Weak padding may aid attackers in recovering plaintext from encrypted data.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to shortly explain how each thing could happen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpholguera cpholguera cpholguera requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[MASWE-0023] Weak Padding
2 participants
@jmariasantosdekra @cpholguera