Kingdom: Security Features

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Weak Encryption: Missing Required Step

Abstract

The code misses invoking a required step during a symmetric key generation, encryption, or decryption process.

Explanation

The generation of symmetric keys as well as the encryption or decryption of secrets involves multiple steps, and missing any required step can compromise the strength of generated symmetric keys or ciphertext, or result in the incorrect decryption of an existing ciphertext.

Example 1: The following code skips the call to EVP_DecryptUpdate, which will result in a failure to decrypt the ciphertext.


...
EVP_DecryptInit_ex(&ctx, EVP_aes_256_gcm(), NULL, key, iv);
...
if(!EVP_DecryptFinal_ex(&ctx, outBuf+outBytes, &tmpOutBytes))
  prtErrAndExit(1, "ERROR: EVP_DecryptFinal_ex did not work...\n");
...

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 325

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450

[3] Standards Mapping - FIPS200 MP

[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection

[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)

[8] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography

[9] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography

[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1

[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

desc.controlflow.cpp.weak_encryption_missing_required_step

Abstract

The code misses invoking a required step during a symmetric key generation, encryption, or decryption process.

Explanation

The generation of symmetric keys as well as the encryption or decryption of secrets involves multiple steps, and missing any required step can compromise the strength of generated symmetric keys or ciphertext, or result in the incorrect decryption of an existing ciphertext.

Example 1: The following code skips the initialization step of KeyGenerator, possibly resulting in the use of a smaller than recommended key:


...
final String CIPHER_INPUT = "123456ABCDEFG";
KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");

SecretKey secretKey = keyGenerator.generateKey();
byte[] byteKey = secretKey.getEncoded();
....

References

[1] JavaDoc for KeyGenerator Sun Microsystems

[2] Standards Mapping - Common Weakness Enumeration CWE ID 325

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450

[4] Standards Mapping - FIPS200 MP

[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3)

[9] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography

[10] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography

[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1

[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II

desc.controlflow.java.weak_encryption_missing_required_step

Abstract

The code misses invoking a required step during a symmetric key generation, encryption, or decryption process.

Explanation

The generation of symmetric keys as well as the encryption or decryption of secrets involves multiple steps, and missing any required step can compromise the strength of generated symmetric keys or ciphertext, or result in the incorrect decryption of an existing ciphertext.

Example 1: The following code skips the call to OpenSSL::Cipher#update, which will result in a failure to decrypt the ciphertext:


require 'openssl'
...
decipher = OpenSSL::Cipher::AES.new(128, :GCM)
decipher.decrypt
decipher.key = key
decipher.iv = iv

plain = decipher.final #missed update method
...