From ee066799ac23401de4ee29f69a10a79ed099a3d1 Mon Sep 17 00:00:00 2001 From: Nuno Antunes Date: Thu, 7 Nov 2024 17:00:00 +0000 Subject: [PATCH 1/2] Adds MASTG-TEST-0x14-23 --- .../MASVS-CRYPTO/MASTG-TEST-0x14-23.md | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-23.md diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-23.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-23.md new file mode 100644 index 0000000000..cfa60ff1e0 --- /dev/null +++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-23.md @@ -0,0 +1,40 @@ +--- +platform: android +title: Weak Padding +id: MASTG-TEST-0x14-23 +type: [static, dynamic] +weakness: MASWE-0023 +--- + +## Overview + +The cipher padding used in a security sensitive context should be carefully selected, otherwise it can be used to compromise the confidentiality, integrity and authenticity of the encrypted data. + +In the case of symmetric block ciphers, a secure padding scheme is used to prevent that the last block is not filled data that could be exploited by the adversary. +In the case of assymetric encryption (e.g., `RSA`), padding scheme is required to prevent deterministic encryption, i.e., that a specific plaintext always results in the same ciphertext. + +Check the [documentation on attacks agains padding](../../../Document/0x04g-Testing-Cryptography.md#Padding-Oracle-Attacks-due-to-Weaker-Padding-or-Block-Operation-Implementations) for more complete examples. + +There are exceptions to this, as is the case of the [android recommended cipher](https://developer.android.com/privacy-and-security/cryptography#choose-algorithm) `AES/GCM/NoPadding`, in which `GCM` mode uses part of the authentication tag as padding for the blocs. + +## Steps + +1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all the uses of encryption related APIs, such as [`Cipher.getInstance`](https://developer.android.com/reference/javax/crypto/Cipher#getInstance(java.lang.String)), and the first argument (`transformation`) being used. + +## Observation + +The output should contain a list of locations where a `Cipher` is being created and the text of the respective `transformation`. + +## Evaluation + +The test case fails if you can find at least one `Cipher` defined with a `transformation` whose [padding scheme is not adequate](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) to the algorithm and mode, and such `Cipher` is used in a security sensitive context. + +- If you are using `RSA` algorithm, you are required to use `OAEPPadding` (or one of its versions); +- Otherwise, weak padding such as NoPadding, ZeroPadding, etc. should be avoided unless you are sure that is secure for that specific combination (e.g., as is the case for `AES/GCM/NoPadding`). + +Check the documentation for [specific recomendation on padding schemes to use](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms). + +## References + +- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md) +- [Cryptographic Mechanisms: Recommendations and Key Lengths](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile) From d8bdb7a08e76484c6abc5183def2a26896f2cb91 Mon Sep 17 00:00:00 2001 From: Nuno Antunes Date: Thu, 7 Nov 2024 17:12:53 +0000 Subject: [PATCH 2/2] Fix typos --- tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-23.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-23.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-23.md index cfa60ff1e0..d095aa7c19 100644 --- a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-23.md +++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-23.md @@ -11,11 +11,11 @@ weakness: MASWE-0023 The cipher padding used in a security sensitive context should be carefully selected, otherwise it can be used to compromise the confidentiality, integrity and authenticity of the encrypted data. In the case of symmetric block ciphers, a secure padding scheme is used to prevent that the last block is not filled data that could be exploited by the adversary. -In the case of assymetric encryption (e.g., `RSA`), padding scheme is required to prevent deterministic encryption, i.e., that a specific plaintext always results in the same ciphertext. +In the case of asymmetric encryption (e.g., `RSA`), padding scheme is required to prevent deterministic encryption, i.e., that a specific plaintext always results in the same ciphertext. -Check the [documentation on attacks agains padding](../../../Document/0x04g-Testing-Cryptography.md#Padding-Oracle-Attacks-due-to-Weaker-Padding-or-Block-Operation-Implementations) for more complete examples. +Check the [documentation on attacks against padding](../../../Document/0x04g-Testing-Cryptography.md#Padding-Oracle-Attacks-due-to-Weaker-Padding-or-Block-Operation-Implementations) for more complete examples. -There are exceptions to this, as is the case of the [android recommended cipher](https://developer.android.com/privacy-and-security/cryptography#choose-algorithm) `AES/GCM/NoPadding`, in which `GCM` mode uses part of the authentication tag as padding for the blocs. +There are exceptions to this, as is the case of the [android recommended cipher](https://developer.android.com/privacy-and-security/cryptography#choose-algorithm) `AES/GCM/NoPadding`, in which `GCM` mode uses part of the authentication tag as padding for the blocks. ## Steps @@ -32,7 +32,7 @@ The test case fails if you can find at least one `Cipher` defined with a `transf - If you are using `RSA` algorithm, you are required to use `OAEPPadding` (or one of its versions); - Otherwise, weak padding such as NoPadding, ZeroPadding, etc. should be avoided unless you are sure that is secure for that specific combination (e.g., as is the case for `AES/GCM/NoPadding`). -Check the documentation for [specific recomendation on padding schemes to use](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms). +Check the documentation for [specific recommendation on padding schemes to use](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms). ## References