From ba008bbcee90e0dd51d1ab554efb78e8b4b5b88d Mon Sep 17 00:00:00 2001 From: Nuno Antunes Date: Thu, 7 Nov 2024 11:24:41 +0000 Subject: [PATCH 1/3] Porting MASTG-TEST-0014 (regarding MASWE 21 & 22) --- .../MASVS-CRYPTO/MASTG-TEST-0x14-21.md | 28 +++++++++++++++ .../MASVS-CRYPTO/MASTG-TEST-0x14-22-1.md | 31 +++++++++++++++++ .../MASVS-CRYPTO/MASTG-TEST-0x14-22-2.md | 34 +++++++++++++++++++ .../MASVS-CRYPTO/MASTG-TEST-0x14-22-3.md | 31 +++++++++++++++++ tests/android/MASVS-CRYPTO/MASTG-TEST-0014.md | 3 ++ 5 files changed, 127 insertions(+) create mode 100644 tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-21.md create mode 100644 tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-1.md create mode 100644 tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-2.md create mode 100644 tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-3.md diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-21.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-21.md new file mode 100644 index 0000000000..db4ef60e8c --- /dev/null +++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-21.md @@ -0,0 +1,28 @@ +--- +platform: android +title: Weak Hashing Algorithms +id: MASTG-TEST-0x14-1 +type: [static, dynamic] +weakness: MASWE-0021 +--- + +## Overview + +When apps need to use hashing in security sensitive scenarios, it is important to not use [insecure or deprecated](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) algorithms. + +## Steps + +1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all the uses of hash related APIs, such as [`MessageDigest.getInstance`](https://developer.android.com/reference/java/security/MessageDigest#getInstance(java.lang.String)), and the algorithm being used. + +## Observation + +The output should contain a list of locations where hashing is being used and the respective algorithms. + +## Evaluation + +The test case fails if you can find [insecure or deprecated](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) hashing algorithms being used in a security sensitive scenario. + +## References + +- [NIST - Hash Functions - Approved Algorithms](https://csrc.nist.gov/projects/hash-functions) +- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md) diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-1.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-1.md new file mode 100644 index 0000000000..324e2b109c --- /dev/null +++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-1.md @@ -0,0 +1,31 @@ +--- +platform: android +title: Hardcoded Initialization Vectors +id: MASTG-TEST-0x14-22-2 +type: [static, dynamic] +weakness: MASWE-0022 +--- + +## Overview + +Several block cipher modes require an [initialization vector (`IV`)](../../../Document/0x04g-Testing-Cryptography.md#Predictable-Initialization-Vector) as one of the initial input to the cipher. +In general, the `IV` does not have to be kept secret, but it should not be reused or predictable. + +**Hardcoded initialization vectors** are the worst scenario and allow an attacker to easily defeat the purpose for which the encryption is being used. + +## Steps + +1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all uses of classes implementing [AlgorithmParameterSpec](https://developer.android.com/reference/java/security/spec/AlgorithmParameterSpec), such as [IvParameterSpec](https://developer.android.com/reference/javax/crypto/spec/IvParameterSpec), [GCMParameterSpec](https://developer.android.com/reference/javax/crypto/spec/GCMParameterSpec), etc. +1. Track all the posterior uses of the identified objects. + +## Observation + +The output should contain a list of locations where `AlgorithmParameterSpec` objects were created and used. + +## Evaluation + +The test case fails if you can find `AlgorithmParameterSpec` objects being created with hardcoded data and then used to initialize a `Cipher`. + +## References + +- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md) \ No newline at end of file diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-2.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-2.md new file mode 100644 index 0000000000..3e150be84c --- /dev/null +++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-2.md @@ -0,0 +1,34 @@ +--- +platform: android +title: Reused Initialization Vectors +id: MASTG-TEST-0x14-22-1 +type: [static, dynamic] +weakness: MASWE-0022 +--- + +## Overview + +Several block cipher modes require an [initialization vector (IV)](../../../Document/0x04g-Testing-Cryptography.md#Predictable-Initialization-Vector) as one of the initial input to the cipher. +In general, the IV does not have to be kept secret, but it should not be reused or predictable. + +Reusing initialization vectors allow the attacker to recover the original message and in the case of some modes (e.g., `GCM`) allow [tampering with the encrypted messages](https://asecuritysite.com/golang/go_reuseiv). + +## Steps + +1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all uses of classes implementing [AlgorithmParameterSpec](https://developer.android.com/reference/java/security/spec/AlgorithmParameterSpec), such as [IvParameterSpec](https://developer.android.com/reference/javax/crypto/spec/IvParameterSpec), [GCMParameterSpec](https://developer.android.com/reference/javax/crypto/spec/GCMParameterSpec), etc. +1. Track all the posterior uses of the identified objects. + +## Observation + +The output should contain a list of locations where `AlgorithmParameterSpec` objects were created and used. + +## Evaluation + +The test case fails if you observe at least one of the following: + +- you can find the multiple `AlgorithmParameterSpec` objects created with the same data, and each then used to initialize its `Cipher`. +- you can find the same `AlgorithmParameterSpec` object used to initialize multiple `Cipher`s. + +## References + +- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md) \ No newline at end of file diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-3.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-3.md new file mode 100644 index 0000000000..5d61749322 --- /dev/null +++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-3.md @@ -0,0 +1,31 @@ +--- +platform: android +title: Predictable Initialization Vectors +id: MASTG-TEST-0x14-22-3 +type: [static, dynamic] +weakness: MASWE-0022 +--- + +## Overview + +Several block cipher modes require an [initialization vector (IV)](../../../Document/0x04g-Testing-Cryptography.md#Predictable-Initialization-Vector) as one of the initial input to the cipher. +In general, the IV does not have to be kept secret, but it should not be reused or predictable. + +Predictable initialization vectors can allow the attackers to conduct [chosen plaintext attack](https://crypto.stackexchange.com/a/18401), and therefore should be avoided in security sensitive scenarios. + +## Steps + +1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all uses of classes implementing [AlgorithmParameterSpec](https://developer.android.com/reference/java/security/spec/AlgorithmParameterSpec), such as [IvParameterSpec](https://developer.android.com/reference/javax/crypto/spec/IvParameterSpec), [GCMParameterSpec](https://developer.android.com/reference/javax/crypto/spec/GCMParameterSpec), etc. +1. Track all the posterior uses of the identified objects. + +## Observation + +The output should contain a list of locations where `AlgorithmParameterSpec` objects were created and used. + +## Evaluation + +The test case fails if you can find `AlgorithmParameterSpec` objects being created with weak or deterministic random generator and then used to initialize a `Cipher` that is used in a security sensitive scenario. + +## References + +- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md) \ No newline at end of file diff --git a/tests/android/MASVS-CRYPTO/MASTG-TEST-0014.md b/tests/android/MASVS-CRYPTO/MASTG-TEST-0014.md index 11e54f6bd5..b27c875cb8 100644 --- a/tests/android/MASVS-CRYPTO/MASTG-TEST-0014.md +++ b/tests/android/MASVS-CRYPTO/MASTG-TEST-0014.md @@ -10,6 +10,9 @@ title: Testing the Configuration of Cryptographic Standard Algorithms masvs_v1_levels: - L1 - L2 +status: deprecated +covered_by: ['MASTG-TEST-0x14-21', 'MASTG-TEST-0x14-22', 'MASTG-TEST-0x14-23', 'MASTG-TEST-0x14-24', 'MASTG-TEST-0x14-25', 'MASTG-TEST-0x14-26'] +deprecation_reason: New version available in MASTG V2 --- ## Overview From 34f1f9d9056c7fb46f7dce9782d3e854e21b1a73 Mon Sep 17 00:00:00 2001 From: Nuno Antunes Date: Thu, 7 Nov 2024 11:31:57 +0000 Subject: [PATCH 2/3] Traling newlines --- tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-1.md | 2 +- tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-2.md | 2 +- tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-3.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-1.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-1.md index 324e2b109c..9024e07ac4 100644 --- a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-1.md +++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-1.md @@ -28,4 +28,4 @@ The test case fails if you can find `AlgorithmParameterSpec` objects being creat ## References -- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md) \ No newline at end of file +- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md) diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-2.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-2.md index 3e150be84c..6d5c7e6906 100644 --- a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-2.md +++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-2.md @@ -31,4 +31,4 @@ The test case fails if you observe at least one of the following: ## References -- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md) \ No newline at end of file +- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md) diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-3.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-3.md index 5d61749322..8e329e2df5 100644 --- a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-3.md +++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-22-3.md @@ -28,4 +28,4 @@ The test case fails if you can find `AlgorithmParameterSpec` objects being creat ## References -- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md) \ No newline at end of file +- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md) From 7693cafdfcef81663792b6f19699ed39b72ca759 Mon Sep 17 00:00:00 2001 From: Nuno Antunes Date: Thu, 7 Nov 2024 17:34:06 +0000 Subject: [PATCH 3/3] Adds MASTG-TEST-0x14-23 --- .../MASVS-CRYPTO/MASTG-TEST-0x14-23.md | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-23.md diff --git a/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-23.md b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-23.md new file mode 100644 index 0000000000..d095aa7c19 --- /dev/null +++ b/tests-beta/android/MASVS-CRYPTO/MASTG-TEST-0x14-23.md @@ -0,0 +1,40 @@ +--- +platform: android +title: Weak Padding +id: MASTG-TEST-0x14-23 +type: [static, dynamic] +weakness: MASWE-0023 +--- + +## Overview + +The cipher padding used in a security sensitive context should be carefully selected, otherwise it can be used to compromise the confidentiality, integrity and authenticity of the encrypted data. + +In the case of symmetric block ciphers, a secure padding scheme is used to prevent that the last block is not filled data that could be exploited by the adversary. +In the case of asymmetric encryption (e.g., `RSA`), padding scheme is required to prevent deterministic encryption, i.e., that a specific plaintext always results in the same ciphertext. + +Check the [documentation on attacks against padding](../../../Document/0x04g-Testing-Cryptography.md#Padding-Oracle-Attacks-due-to-Weaker-Padding-or-Block-Operation-Implementations) for more complete examples. + +There are exceptions to this, as is the case of the [android recommended cipher](https://developer.android.com/privacy-and-security/cryptography#choose-algorithm) `AES/GCM/NoPadding`, in which `GCM` mode uses part of the authentication tag as padding for the blocks. + +## Steps + +1. Run @MASTG-TECH-0014 with a tool such as @MASTG-TOOL-0110 on the app binary, or use @MASTG-TECH-0033 (dynamic analysis) with a tool like @MASTG-TOOL-0001, and identify all the uses of encryption related APIs, such as [`Cipher.getInstance`](https://developer.android.com/reference/javax/crypto/Cipher#getInstance(java.lang.String)), and the first argument (`transformation`) being used. + +## Observation + +The output should contain a list of locations where a `Cipher` is being created and the text of the respective `transformation`. + +## Evaluation + +The test case fails if you can find at least one `Cipher` defined with a `transformation` whose [padding scheme is not adequate](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms) to the algorithm and mode, and such `Cipher` is used in a security sensitive context. + +- If you are using `RSA` algorithm, you are required to use `OAEPPadding` (or one of its versions); +- Otherwise, weak padding such as NoPadding, ZeroPadding, etc. should be avoided unless you are sure that is secure for that specific combination (e.g., as is the case for `AES/GCM/NoPadding`). + +Check the documentation for [specific recommendation on padding schemes to use](../../../Document/0x04g-Testing-Cryptography.md#Identifying-Insecure-and/or-Deprecated-Cryptographic-Algorithms). + +## References + +- [Testing Cryptography](../../../Document/0x04g-Testing-Cryptography.md) +- [Cryptographic Mechanisms: Recommendations and Key Lengths](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile)