Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dc v6 patch3 #2371

Merged
merged 12 commits into from
Nov 19, 2024
Merged

Dc v6 patch3 #2371

merged 12 commits into from
Nov 19, 2024

Conversation

danielcuthbert
Copy link
Collaborator

Relating to #2315, #2314

| **6.5.3** | [MOVED FROM 6.2.6, LEVEL L2 > L3] Verify that nonces, initialization vectors, and other single-use numbers are not used for more than one encryption key/data-element pair. The method of generation must be appropriate for the algorithm being used. | | | ✓ | 326 |
| **6.5.4** | [MOVED FROM 6.2.7] Verify that encrypted data is authenticated via signatures, including unencrypted tokens being used for secure access control, as well as through authenticated cipher modes or HMAC for protection against unauthorized modification. | | | ✓ | 326 |
| **6.5.3** | [MODIFIED, MOVED FROM 6.2.6, LEVEL L2 > L3] Verify that nonces, initialization vectors, and other single-use numbers are not used for more than one encryption key/data-element pair. The method of generation must be appropriate for the algorithm being used. | | | ✓ | 326 |
| **6.5.4** | [MODIFIED, MOVED FROM 6.2.7] Verify that encrypted data is authenticated via signatures, including unencrypted tokens being used for secure access control, as well as through authenticated cipher modes or HMAC for protection against unauthorized modification. | | | ✓ | 326 |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"HMAC" → This should be "or a MAC"?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any need to talk about encrypt-then-mac vs mac-then-encrypt vs mac-and-encrypt?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To answer your questions:

  • HMAC can become MAC, but HMAC is usually preferred.
  • Yes, there is a need to talk about this - since RFC7366 and with developments in ISO19772 and its revisions, it has been common practice to promote Authenticated Encryption with Associated Data (AEAD). EtH (Encrypt then Hash) or EtM (Encrypt then MAC) are common ways to achieve AEAD. However, in systems like SSH they have the choice between ciphers with and without etm in the name, hence it MUST be explicitly stated.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm going to add this to the Appendix once this patch is in.


## V6.7 Key Exchange Mechanisms

There exists a need for approved key exchange mechanisms, such as Diffie-Hellman and Elliptic Curve Diffie-Hellman (ECDH) to ensure that the cryptosystem remains secure against modern threats.

| # | Description | L1 | L2 | L3 | CWE |
| :---: | :--- | :---: | :---: | :---: | :---: |
| **6.7.1** | [ADDED] Verify that industry-proven cryptographic algorithms, such as Diffie-Hellman groups, with a focus on ensuring that key exchange mechanisms use secure parameters to prevent man-in-the-middle attacks or cryptographic breaks, are used for key exchanges to prevent attacks on the key establishment process. | | ✓ | ✓ | 798 |
| **6.7.1** | [ADDED] Verify that industry-proven cryptographic algorithms, such as Diffie-Hellman groups, with a focus on ensuring that key exchange mechanisms use secure parameters to prevent man-in-the-middle attacks or cryptographic breaks, are used for key exchanges to prevent attacks on the key establishment process. | | ✓ | ✓ | |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"cryptographic algorithms, such as Diffie-Hellman groups" → I think it should read "cryptographic algorithms, such as Diffie-Hellman" because a DH group is not really an algorithm but only a group (i.e. a mathematical construct).

May we reword as

Verify that industry-proven cryptographic key exchanges, such as Diffie-Hellman, are used in order to prevent attacks on the key establishment process. The key exchange mechanisms must use secure parameters to prevent man-in-the-middle attacks or cryptographic breaks.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to prevent man-in-the-middle attacks or cryptographic breaks.

Should we mention the notion of "authenticated key exchange" (i.e. anonymous Diffie-Hellman is usually not so great).

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes we can reword it like that, and yes, we can mention it for the same reasons we should mention AEAD/EtM above. :)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how does this resonate?

| 6.7.1 | [ADDED] Verify that industry-proven cryptographic algorithms are used for key exchanges with secure parameters to prevent man-in-the-middle attacks or cryptographic breaks. Ensure that key exchange mechanisms employ authenticated key exchange protocols to verify the identities of communicating parties and mitigate attacks on the key establishment process. | | ✓ | ✓ | |

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"… and provides forward secrecy" 😉 #2215

(Actually I think it would be better to include forward secrecy as a separate requirement … ?)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm going to add this to the Appendix once this patch is in.

| **6.6.2** | [MODIFIED, MOVED FROM 2.4.1, MERGED FROM 2.4.3, 2.4.4] Verify that passwords are stored using an approved, computationally intensive, hashing algorithm with parameter settings configured based on current guidance. The settings should balance security and performance to make brute-force attacks more challenging. | | ✓ | ✓ | |
| **6.6.3** | [ADDED, SPLIT FROM 6.2.5] Verify that cryptographic systems avoid the use of disallowed hash functions, such as MD5, SHA-1, or any other insecure hash functions, for any cryptographic purpose. | ✓ | ✓ | ✓ | |
| **6.6.4** | [ADDED] Verify that hash functions used in digital signatures are collision resistant and have appropriate bit-lengths to avoid attacks, such as collision or pre-image attacks. | ✓ | ✓ | ✓ | |
| **6.6.5** | [ADDED] Verify that hash functions used in HMAC, KDF, and random bit generation are derived from those with proper entropy seeding for random bit generation. | | ✓ | ✓ | |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't really understand (can't parse the meaning) of this one.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you be more specific?

Copy link
Contributor

@randomstuff randomstuff Nov 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verify that hash functions used in HMAC, KDF, and random bit generation are derived from those with proper entropy seeding for random bit generation.

I find it difficult to understand the last part ("are derived from those with proper entropy seeding for random bit generation") but after checking the appendix I understand that the correct column from the appendix must be checked :)

Can we reword it somehow like:

Verify that all hash function used in HMAC, KDF, and random bit generation are suitable for these usages.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reworded


### Post-Quantum Encryption Standards

PQC implementations must be inline with [FIPS-203](https://csrc.nist.gov/pubs/fips/203/ipd)/[204](https://csrc.nist.gov/pubs/fips/204/ipd)/[205](https://csrc.nist.gov/pubs/fips/205/ipd) as there isn't any hardened code nor implementation reference yet. https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"inline" → "in line"?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure what to do about this part. I read it as "you'll have to care about it later" so I'm not sure it adds much information in its current form.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe reword it as something like:

As there isn't any hardened code nor implementation reference available at the time of writing, this document currently does not recommend any Post-Quantum Cryptography (PQC) solution. An PQC implementation should be aligned with FIPS-203 and FIPS-204/205.

@tghosth tghosth enabled auto-merge (rebase) November 19, 2024 16:31
@tghosth tghosth merged commit 979bc64 into master Nov 19, 2024
6 checks passed
@tghosth tghosth deleted the dc_v6_patch3 branch November 19, 2024 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants