From 2f1ae6fa4567cf11e6ca6f818f093351a0452fdf Mon Sep 17 00:00:00 2001 From: Uncle Joe <1244005+sydseter@users.noreply.github.com> Date: Tue, 15 Jul 2025 10:33:25 +0200 Subject: [PATCH 1/9] Fixes #2574 --- weaknesses/MASVS-CRYPTO/MASWE-0010.md | 36 ++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0010.md b/weaknesses/MASVS-CRYPTO/MASWE-0010.md index 847c7a3..58e696d 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0010.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0010.md @@ -14,9 +14,43 @@ refs: draft: description: e.g. PBKDF2 with insufficient iterations, lack of salt, etc. topics: - - sources with insufficient entropy + - improper cryptography - lack of salt encryption when doing PBKDF2 status: placeholder --- +## Overview + +Improper Key derivation functions will generate a key using a scheme or iteration count that does not provide a sufficient level of computational effort. This can open up the possibility for brute force password/secret cracking or dictionary attacks. +In cases where a user-supplied password or pin is used without a sufficiently random salt the resulting output will be identical or similar enough to allow an attacker to execute a brute force attack to find the original password/pin using the KDF (key derivation function) as an "oracle". +A similar issue happens when the salt is user-supplied. Consider a mobile app that generates user keys from a master key on demand during installation. Let's say that a key used in the mobile app is derived from this master key using the username or other user supplied value as salt. Such an implementation can make it possible for an attacker to retrieve the derived key by using the username or supplied user value as input. + +HKDFs or any other type of integrity based hashing algorithm like MD5, SHA-1, SHA-2 or even SHA-3 aren't designed for low-entropy inputs like in the username example above. Therefore, password crackers can fairly efficiently crack massive amounts of passwords for KDFs that aren't purposefully designed to be slow and memory-intensive. +A similar issue happens when using deprecated, risky or broken KDF- or password hashing algorithms known to the vulnerable to various types of attacks. +Also, cryptographic algorithms (such as symmetric encryption or some MACs) expect a secret input of a given size. + +For example, AES uses a key of exactly 16 bytes. A naive implementation might use a username, a low entropy password or pin directly as an input key. Using a username, a low entropy password or pin as an input key has the following problems: + +- If the password is smaller than the key, the full key space isn't used. The remaining space is padded, often with spaces or null bytes. +- A user-supplied password will realistically consist mostly of displayable and pronounceable characters. Therefore, only some of the possible 256 ASCII characters are used and entropy is decreased by approximately a factor of four. + +## Impact + +- **Risk of Brute-Force Attacks**: Improper Key derivation functions expose the app to brute force password- and secret cracking attacks, and key or dictionary attacks such as rainbow tables. +- **Loss of Confidentiality**: Improper Key derivation may allow an attacker to guess or find the input and therefore steal the user's password or cryptographic key. +- **Loss of Integrity**: Given that the attacker has access to the user's password or cryptographic key, the overall security of the app and mobile phone may be compromised. + +## Modes of Introduction + +- **Using static or predictable salt on low-entropy input**: Using an enumerable pin code or low entropy password together with a static or predictable salt makes it possible for the attacker to to pre-compute the hash value using dictionary attack, effectively disabling the protection that a salt would provide. +- **Using user-supplied salt**: Using a low entropy salt will make it possible for an attacker to extract all derived keys through a KDF by supplying the low entropy salt as an argument. +- **Using non-resource intensive algorithms on low-entropy input**: Using an enumerable pin code or low entropy password together with a HKDF makes it easy for password crackers to execute a preimage attack. +- **Use a hash function as a general-purpose KDF**: In scenarios where the information used during key derivation is attacker-controlled, using a integrity based hash function (e.g from the SHA family) as KDF can expose the application to brute force or length-extension attacks. +- **Using Deprecated, Risky or Broken Algorithms**: Relying on deprecated, risky or inherently broken cryptographic algorithms can result in the generation of weaker keys. As these algorithms often have vulnerabilities or support shorter key lengths, they are more susceptible to modern attacks, compromising the overall security of the app. + +## Mitigations + +- **Generate random salt using CSPRNGs with high entropy seeding**: Ensuring the use of strong, cryptographically secure PRNGs called CSPRNGs with high entropy seeding is essential for robust key security. +- **Use Recommended and Approved algorithms that are fit for purpose**: In cases where the input is user-controlled, use key derivation functions such as Argon2, scrypt, bcrypt or PBKDF2 that provide a sufficient level of computational effort. Otherwise, ensure the input is thoroughly random using a recommended CSPRNG that guarantees high entropy seeding. +- **Prefer HKDF and other KDFs that were designed specifically for key derivation**: HKDF and other KDFs specifically meant for key derivation will ensure the app isn't exposed to length-extension attacks. From 810b7a36ee069c348559add9e0c93172b9e9efee Mon Sep 17 00:00:00 2001 From: Uncle Joe <1244005+sydseter@users.noreply.github.com> Date: Tue, 15 Jul 2025 16:12:16 +0200 Subject: [PATCH 2/9] Update MASWE-0010.md --- weaknesses/MASVS-CRYPTO/MASWE-0010.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0010.md b/weaknesses/MASVS-CRYPTO/MASWE-0010.md index 58e696d..0982fd2 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0010.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0010.md @@ -16,7 +16,7 @@ draft: topics: - improper cryptography - lack of salt encryption when doing PBKDF2 -status: placeholder +status: new --- From 3b3005f9db235a0aaf7bf95d5c16ab3d2f152c9a Mon Sep 17 00:00:00 2001 From: Uncle Joe <1244005+sydseter@users.noreply.github.com> Date: Tue, 15 Jul 2025 16:22:18 +0200 Subject: [PATCH 3/9] Update MASWE-0010.md --- weaknesses/MASVS-CRYPTO/MASWE-0010.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0010.md b/weaknesses/MASVS-CRYPTO/MASWE-0010.md index 0982fd2..b8f4f6b 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0010.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0010.md @@ -11,11 +11,10 @@ mappings: refs: - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf -draft: - description: e.g. PBKDF2 with insufficient iterations, lack of salt, etc. - topics: - - improper cryptography - - lack of salt encryption when doing PBKDF2 +description: e.g. PBKDF2 with insufficient iterations, lack of salt, etc. +topics: +- improper cryptography +- lack of salt encryption when doing PBKDF2 status: new --- From 3938f8e1054310fb589c4941a5ad50434d7037e2 Mon Sep 17 00:00:00 2001 From: Uncle Joe <1244005+sydseter@users.noreply.github.com> Date: Tue, 15 Jul 2025 17:37:39 +0200 Subject: [PATCH 4/9] Correct topic --- weaknesses/MASVS-CRYPTO/MASWE-0010.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0010.md b/weaknesses/MASVS-CRYPTO/MASWE-0010.md index b8f4f6b..eae7a16 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0010.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0010.md @@ -13,7 +13,7 @@ refs: - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf description: e.g. PBKDF2 with insufficient iterations, lack of salt, etc. topics: -- improper cryptography +- sources with insufficient entropy - lack of salt encryption when doing PBKDF2 status: new From ab0ff0a424d079441e2c074fb912e8e2adf037ce Mon Sep 17 00:00:00 2001 From: Uncle Joe <1244005+sydseter@users.noreply.github.com> Date: Wed, 16 Jul 2025 13:03:11 +0200 Subject: [PATCH 5/9] Remove description and tooics --- weaknesses/MASVS-CRYPTO/MASWE-0010.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0010.md b/weaknesses/MASVS-CRYPTO/MASWE-0010.md index eae7a16..7204597 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0010.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0010.md @@ -11,10 +11,7 @@ mappings: refs: - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf -description: e.g. PBKDF2 with insufficient iterations, lack of salt, etc. -topics: -- sources with insufficient entropy -- lack of salt encryption when doing PBKDF2 + status: new --- From 01a2005992ba44045049924d10b9f93a24b81a61 Mon Sep 17 00:00:00 2001 From: Uncle Joe <1244005+sydseter@users.noreply.github.com> Date: Wed, 16 Jul 2025 13:10:21 +0200 Subject: [PATCH 6/9] Remove new line --- weaknesses/MASVS-CRYPTO/MASWE-0010.md | 1 - 1 file changed, 1 deletion(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0010.md b/weaknesses/MASVS-CRYPTO/MASWE-0010.md index 7204597..78c3d8f 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0010.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0010.md @@ -11,7 +11,6 @@ mappings: refs: - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf - status: new --- From d1ccd39aeceeb9de98c007e1dad5718057929f1e Mon Sep 17 00:00:00 2001 From: Uncle Joe <1244005+sydseter@users.noreply.github.com> Date: Wed, 16 Jul 2025 13:15:21 +0200 Subject: [PATCH 7/9] case were salt is left out. --- weaknesses/MASVS-CRYPTO/MASWE-0010.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0010.md b/weaknesses/MASVS-CRYPTO/MASWE-0010.md index 78c3d8f..789d1e0 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0010.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0010.md @@ -19,7 +19,7 @@ status: new Improper Key derivation functions will generate a key using a scheme or iteration count that does not provide a sufficient level of computational effort. This can open up the possibility for brute force password/secret cracking or dictionary attacks. In cases where a user-supplied password or pin is used without a sufficiently random salt the resulting output will be identical or similar enough to allow an attacker to execute a brute force attack to find the original password/pin using the KDF (key derivation function) as an "oracle". -A similar issue happens when the salt is user-supplied. Consider a mobile app that generates user keys from a master key on demand during installation. Let's say that a key used in the mobile app is derived from this master key using the username or other user supplied value as salt. Such an implementation can make it possible for an attacker to retrieve the derived key by using the username or supplied user value as input. +A similar issue happens when the salt is user-supplied or left out. Consider a mobile app that generates user keys from a master key on demand during installation. Let's say that a key used in the mobile app is derived from this master key using the username or other user supplied value as salt. Such an implementation can make it possible for an attacker to retrieve the derived key by using the username or supplied user value as input. HKDFs or any other type of integrity based hashing algorithm like MD5, SHA-1, SHA-2 or even SHA-3 aren't designed for low-entropy inputs like in the username example above. Therefore, password crackers can fairly efficiently crack massive amounts of passwords for KDFs that aren't purposefully designed to be slow and memory-intensive. A similar issue happens when using deprecated, risky or broken KDF- or password hashing algorithms known to the vulnerable to various types of attacks. From ea2f849cd7b371ef6ab20f43fe9ec7d601f204be Mon Sep 17 00:00:00 2001 From: Uncle Joe <1244005+sydseter@users.noreply.github.com> Date: Wed, 16 Jul 2025 16:44:19 +0200 Subject: [PATCH 8/9] #2585 Adding 2 more cases --- weaknesses/MASVS-CRYPTO/MASWE-0021.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md index 4d19d10..1c92f81 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md @@ -19,6 +19,8 @@ draft: sensitive context may compromise data integrity and authenticity. topics: - Broken hashing algorithms (e.g. MD5, SHA1, etc.) + - Improper salting when doing password hashing using e.g. PBKDF2 + - Improper storage of password hashes status: placeholder --- From f556bb7ac803769126839b3b002644c0c7f0906b Mon Sep 17 00:00:00 2001 From: Uncle Joe <1244005+sydseter@users.noreply.github.com> Date: Wed, 16 Jul 2025 16:46:29 +0200 Subject: [PATCH 9/9] Remove suggested --- weaknesses/MASVS-CRYPTO/MASWE-0021.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/weaknesses/MASVS-CRYPTO/MASWE-0021.md b/weaknesses/MASVS-CRYPTO/MASWE-0021.md index 1c92f81..4d19d10 100644 --- a/weaknesses/MASVS-CRYPTO/MASWE-0021.md +++ b/weaknesses/MASVS-CRYPTO/MASWE-0021.md @@ -19,8 +19,6 @@ draft: sensitive context may compromise data integrity and authenticity. topics: - Broken hashing algorithms (e.g. MD5, SHA1, etc.) - - Improper salting when doing password hashing using e.g. PBKDF2 - - Improper storage of password hashes status: placeholder ---