界: Security Features
軟體安全性並非安全性軟體。我們關注驗證、Access Control、保密性、加密以及權限管理之類的主題。
Weak Encryption: Stream Cipher
Abstract
當加密的資料儲存在磁碟上,或者如果多次使用金鑰,則使用串流密碼是很危險的。
Explanation
串流密碼容易受到「金鑰重複使用」攻擊,也稱為「欺騙性密碼本」攻擊。此類型的弱點發生於多次使用同一金鑰時,因為可以輕鬆地透過 XOR 運算密碼文字的兩個字串,並將金鑰設為 Null,從而只留下透過 XOR 運算的純文字。由於人類語言以特定方式設定格式,因此,通常可以輕鬆復原原始的兩則訊息。
若要阻止上述攻擊,將需要使用全新的初始化向量 (IV),所以串流密碼不適用於儲存加密的資料,因為這表示:
1) 使用磁碟磁區做為 IV:
此方法不安全,因為每次需要修改儲存的資料時都要求重複使用同一 IV。
2) 使用會將全新 IV 對應到磁碟磁區的複雜系統:
此方法難以維護。這樣的方法需要持續進行更新 IV、需要是使用者不可讀取的,且加密文字需要佔用比未加密純文字更多的磁碟空間。
鑒於以上兩點,使用串流密碼而非區塊密碼來儲存加密資料是不利的。串流密碼的另一個問題是,其不提供驗證,因此容易受到「位元翻轉」攻擊。某些區塊密碼 (如「CTR」) 也容易受到這些攻擊,因為其功能類似於串流密碼。
範例 1:以下程式碼會建立串流密碼,此串流密碼用於以常數 IV 加密資料,並將其儲存在磁碟上:
在
若要阻止上述攻擊,將需要使用全新的初始化向量 (IV),所以串流密碼不適用於儲存加密的資料,因為這表示:
1) 使用磁碟磁區做為 IV:
此方法不安全,因為每次需要修改儲存的資料時都要求重複使用同一 IV。
2) 使用會將全新 IV 對應到磁碟磁區的複雜系統:
此方法難以維護。這樣的方法需要持續進行更新 IV、需要是使用者不可讀取的,且加密文字需要佔用比未加密純文字更多的磁碟空間。
鑒於以上兩點,使用串流密碼而非區塊密碼來儲存加密資料是不利的。串流密碼的另一個問題是,其不提供驗證,因此容易受到「位元翻轉」攻擊。某些區塊密碼 (如「CTR」) 也容易受到這些攻擊,因為其功能類似於串流密碼。
範例 1:以下程式碼會建立串流密碼,此串流密碼用於以常數 IV 加密資料,並將其儲存在磁碟上:
import (
"crypto/aes"
"crypto/cipher"
"os"
)
...
iv = b'1234567890123456'
CTRstream = cipher.NewCTR(block, iv)
CTRstream.XORKeyStream(plaintext, ciphertext)
...
f := os.Create("data.enc")
f.Write(ciphertext)
f.Close()
在
Example 1 中,由於 iv 已設為常數初始化向量,因此容易受到重複使用攻擊。References
[1] Disk Encryption Theory Wikipedia
[2] Clemens Fruhwirth New Methods in Hard Disk Encryption
[3] Standards Mapping - Common Weakness Enumeration CWE ID 327
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[11] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.golang.weak_encryption_stream_cipher
Abstract
與儲存的資料搭配使用,或是使用金鑰超過一次時,串流密碼是危險的。
Explanation
串流密碼容易受到「金鑰重複使用」攻擊,也稱為「欺騙性密碼本」攻擊。這意味著,如果多次使用同一金鑰,則可以輕鬆地透過 XOR 運算密碼文字的兩個字串,並將金鑰設為 Null,從而只留下透過 XOR 運算的純文字。由於人類語言以特定方式設定格式,因此,通常可以輕鬆地恢復原始的兩則訊息。
由於需要使用全新的初始化向量 (IV) 來阻止上述攻擊,所以串流密碼不適用於儲存加密的資料,因為這表示:
1) 使用磁碟磁區做為 IV:
此方法不安全,因為每次需要修改儲存的資料時都需要重複使用同一 IV。
2) 具有會將全新 IV 對應到磁碟磁區的複雜系統:
此方法難以維護,因為需要持續進行更新、需要是使用者不可讀取的,且加密文字需要佔用的磁碟空間比單獨的未加密純文字遠遠更多。
這兩點讓使用串流密碼而非區塊密碼來儲存加密資料是不利的。串流密碼的另一個問題是,其不提供驗證,因此容易受到「位元翻轉」攻擊。某些區塊密碼 (如「CTR」) 也容易受到這些攻擊,因為其執行方式類似於串流密碼。
範例 1:以下程式碼會建立串流密碼,此串流密碼接著用於以常數 IV 加密資料,並將其儲存在磁碟上:
由於需要使用全新的初始化向量 (IV) 來阻止上述攻擊,所以串流密碼不適用於儲存加密的資料,因為這表示:
1) 使用磁碟磁區做為 IV:
此方法不安全,因為每次需要修改儲存的資料時都需要重複使用同一 IV。
2) 具有會將全新 IV 對應到磁碟磁區的複雜系統:
此方法難以維護,因為需要持續進行更新、需要是使用者不可讀取的,且加密文字需要佔用的磁碟空間比單獨的未加密純文字遠遠更多。
這兩點讓使用串流密碼而非區塊密碼來儲存加密資料是不利的。串流密碼的另一個問題是,其不提供驗證,因此容易受到「位元翻轉」攻擊。某些區塊密碼 (如「CTR」) 也容易受到這些攻擊,因為其執行方式類似於串流密碼。
範例 1:以下程式碼會建立串流密碼,此串流密碼接著用於以常數 IV 加密資料,並將其儲存在磁碟上:
...
const cipher = crypto.createCipheriv("AES-256-CTR", key, 'iv')
const ciphertext = cipher.update(plaintext, 'utf8');
cipher.final();
fs.writeFile('my_encrypted_data', ciphertext, function (err) {
...
});
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 327
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[9] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.javascript.weak_encryption_stream_cipher
Abstract
如果加密的資料將儲存在磁碟上,或者如果多次使用金鑰,則使用串流密碼是很危險的。
Explanation
串流密碼容易受到「金鑰重複使用」攻擊,也稱為「欺騙性密碼本」攻擊。這意味著,如果多次使用同一金鑰,則可以輕鬆地透過 XOR 運算密碼文字的兩個字串,並將金鑰設為 Null,從而只留下透過 XOR 運算的純文字。由於人類語言以特定方式設定格式,因此,通常可以輕鬆地恢復原始的兩條訊息。
由於需要使用全新的初始化向量 (IV) 來阻止上述攻擊,所以串流密碼不適用於儲存加密的資料,因為這表示:
1) 使用磁碟磁區做為 IV:
此方法不安全,因為每次需要修改儲存的資料時都需要重複使用同一 IV。
2) 具有會將全新 IV 對應到磁碟磁區的複雜系統:
此方法難以維護,因為需要持續進行更新、需要是使用者不可讀取的,且加密文字需要佔用的磁碟空間比單獨的未加密純文字遠遠更多。
這兩點讓使用串流密碼而非區塊密碼來儲存加密資料是不利的。串流密碼的另一個問題是,其不提供驗證,因此容易受到「位元翻轉」攻擊。某些區塊密碼 (如「CTR」) 也容易受到這些攻擊,因為其執行方式類似於串流密碼。
範例 1:以下程式碼會建立串流密碼,此串流密碼接著用於以常數 IV 加密資料,並將其儲存在磁碟上:
在
由於需要使用全新的初始化向量 (IV) 來阻止上述攻擊,所以串流密碼不適用於儲存加密的資料,因為這表示:
1) 使用磁碟磁區做為 IV:
此方法不安全,因為每次需要修改儲存的資料時都需要重複使用同一 IV。
2) 具有會將全新 IV 對應到磁碟磁區的複雜系統:
此方法難以維護,因為需要持續進行更新、需要是使用者不可讀取的,且加密文字需要佔用的磁碟空間比單獨的未加密純文字遠遠更多。
這兩點讓使用串流密碼而非區塊密碼來儲存加密資料是不利的。串流密碼的另一個問題是,其不提供驗證,因此容易受到「位元翻轉」攻擊。某些區塊密碼 (如「CTR」) 也容易受到這些攻擊,因為其執行方式類似於串流密碼。
範例 1:以下程式碼會建立串流密碼,此串流密碼接著用於以常數 IV 加密資料,並將其儲存在磁碟上:
from Crypto.Cipher import AES
from Crypto import Random
...
key = Random.new().read(AES.block_size)
iv = b'1234567890123456'
cipher = AES.new(key, AES.MODE_CTR, iv, counter)
...
encrypted = cipher.encrypt(data)
f = open("data.enc", "wb")
f.write(encrypted)
f.close()
...
在
Example 1 中,由於 iv 已設為常數初始化向量,因此容易受到重複使用攻擊。References
[1] Disk Encryption Theory Wikipedia
[2] Clemens Fruhwirth New Methods in Hard Disk Encryption
[3] Standards Mapping - Common Weakness Enumeration CWE ID 327
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[11] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.python.weak_encryption_stream_cipher
Abstract
與儲存的資料搭配使用,或是使用金鑰超過一次時,串流密碼是危險的。
Explanation
串流密碼容易受到「金鑰重複使用」攻擊,也稱為「欺騙性密碼本」攻擊。這意味著,如果多次使用同一金鑰,則可以輕鬆地透過 XOR 運算密碼文字的兩個字串,並將金鑰設為 Null,從而只留下透過 XOR 運算的純文字。由於人類語言以特定方式設定格式,因此,通常可以輕鬆地恢復原始的兩條訊息。
由於需要使用全新的初始化向量 (IV) 來阻止上述攻擊,所以串流密碼不適用於儲存加密的資料,因為這表示:
1) 使用磁碟磁區做為 IV:
此方法不安全,因為每次需要修改儲存的資料時都需要重複使用同一 IV。
2) 具有會將全新 IV 對應到磁碟磁區的複雜系統:
此方法難以維護,因為需要持續進行更新、需要是使用者不可讀取的,且加密文字需要佔用的磁碟空間比單獨的未加密純文字遠遠更多。
這兩點讓使用串流密碼而非區塊密碼來儲存加密資料是不利的。串流密碼的另一個問題是,其不提供驗證,因此容易受到「位元翻轉」攻擊。某些區塊密碼 (如「CTR」) 也容易受到這些攻擊,因為其執行方式類似於串流密碼。
範例 1:以下程式碼會建立串流密碼,此串流密碼接著用於以常數 IV 加密資料,並將其儲存在磁碟上:
在
由於需要使用全新的初始化向量 (IV) 來阻止上述攻擊,所以串流密碼不適用於儲存加密的資料,因為這表示:
1) 使用磁碟磁區做為 IV:
此方法不安全,因為每次需要修改儲存的資料時都需要重複使用同一 IV。
2) 具有會將全新 IV 對應到磁碟磁區的複雜系統:
此方法難以維護,因為需要持續進行更新、需要是使用者不可讀取的,且加密文字需要佔用的磁碟空間比單獨的未加密純文字遠遠更多。
這兩點讓使用串流密碼而非區塊密碼來儲存加密資料是不利的。串流密碼的另一個問題是,其不提供驗證,因此容易受到「位元翻轉」攻擊。某些區塊密碼 (如「CTR」) 也容易受到這些攻擊,因為其執行方式類似於串流密碼。
範例 1:以下程式碼會建立串流密碼,此串流密碼接著用於以常數 IV 加密資料,並將其儲存在磁碟上:
require 'openssl'
...
cipher = OpenSSL::Cipher.new('AES-256-CTR')
cipher.encrypt
cipher.iv='iv'
...
encrypted = cipher.update(data) + cipher.final
File.open('my_encrypted_data', 'w') do |file|
file.write(encrypted)
end
在
Example 1 中,由於 OpenSSL::Cipher#iv= 已設為常數初始化向量,因此容易受到重複使用攻擊。References
[1] Disk Encryption Theory Wikipedia
[2] Clemens Fruhwirth New Methods in Hard Disk Encryption
[3] Standards Mapping - Common Weakness Enumeration CWE ID 327
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[11] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 327
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 327
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 327
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.ruby.weak_encryption_stream_cipher